Db10g external password authentication from Active Directory via OID

Similar Messages

• Db10g external password authentication with Active Directory via OID

  HI ALL
  - i have the synchronization AD-to-OID
  - i have the external authorization of AD users via SSO (external authorization plug-in)
  - i have the DB10g enterprise authorization of OID native users who have their password in OID (global schema)
  - but i cann't configure the DB10g autorization of AD-to-OID synchronized users who don't have their password in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  Funny thing - LDAP (OID and Active Directory) defines a generic heirachical database. Like any other generic database, you need to define the schema to define what data is to be captured.
  Each LDAP application expects a certain schema. That includes Enterprise User Security (part of the Advanced Security Option).
  To accomplish what you want to do
  1) get familiar with the Enterprise User Security capability (see the EUS documentation at tahiti)
  2) learn to configure SQLNet / Oracle Networking to use LDAPthat is responsib (''cause it's Oracle Networking responsible for the login)
  3) Reverse the schema from OID and transport it to AD
  Aside from that, it's a no-brainer.

• Password Sync from Active Directory Locking Accounts

  Hello,
  We recently set up Active Directory as a resource and are synching passwords. We are using IDM 7.1.1.11. We are noticing that when actions in IDM push the password out to AD, and they sync comes back to IDM, the sync workflow is locking up the account, before the original IDM action completes. For example, when an admin resets a users password, they see several error messages stating that the account is locked by the account that authenticates through the password sync utility. They also see succesful password reset messages, but I would like it if they didn't see errors saying the account is locked. We are using a direct connection between the Password Sync util and IDM. Has anyone ran into this? Any advice on overcoming it?
  Thanks.
  Jim

  I opened a support case with Sun about this issue, and they recommended logging a trace file for com.waveset.adapter.ActiveDirectoryActiveSyncAdapter. While the tracefile does not seem to contain any useful information, the simple fact that there is tracing going on for it now seems to be easing the situation. In my test environment I saw occurrences of this locking problem drop by 90-95% simply by turning the tracing on. I started tracing in production in the hopes that it will at least lessen the occurances of this.
  Sounds like we are taking the same approach Raj, the problem I've been having with it is getting it to happen will I'm debugging our reset password workflow. I want to make sure I add the locking check in the right place, so I was attempting to determine which area to check for it.
  I'll be sure to keep the thread updated if anything changes on our end.
  Jim

• Oracle forms authentication with active directory without OID

  Hi Gurus,
  I need to implement active directory authentication in oracle forms.
  My scenario is this:
  1. The user is created in active directory
  2. The user is imported in our aplication, and then I assign the roles in Oracle, and create the user in my aplicattion.
  When the user logs, the system have to validate the password with MS-AD. If the password is right, then, the system start a session in Oracle.
  My questions are:
  1. How can I validate the password in AD ? Is it in clear text, unix crypt, AES ?
  2. In case the user has changed the password in AD, how can obtain he logs in oracle with the new password ?
  We use oracle enterprise edition, but we don't have oracle applications, so i can't use identity management.
  Thanks in advance for your help

  You will need Oracle SSO and OID to implement Active Directory authentication for Oracle Forms. It comes with Oracle Application Server. You will need to read up on how to use AD instead of OID as the user store for Oracle Single Sign-on (SSO). Forms will use SSO to login not really knowing which user store is used so there is no config needed on the Forms side (except enabling SSO).

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Oracle 9i/10G DB authentication using Active Directory (with out OID)

  Hello All,
  We want to use a Single-Password authentication scheme using the Active
  Directory as the primary source for userId/Password.
  We don't want to use the Active Directory and OID bridge.
  As we have many databases and would like to configure all Databases to use Active
  Directory for Authentication. Our goal is to have single id/password across all
  the databases and any user should be able to login from any computer using their
  windows id/password, note that we don't want to use the OSAuthentication.
  We have read the documents provided by oracle for authentication using Active
  Directory, we were able to create Oracle Schema in Active Directory and were
  also able to register a DB with Active Directory and then created user as global
  user in Oracle Database and provided the DN of the user. When we tried
  authenticate with all this setup it comes back and says invalid ID/Password !!!
  And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
  Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
  Envoirnment:
  Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
  Operating System: Windows 2000/ Windows 2000 Server
  Constraint: We don't want to user OID ( as we don't have license for this
  product ! )

  I have a thread started similar to your request.
  OS Authenication on Windows
  Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
  SHOW PARAMETER OS_AUTHENT_PREFIX;
  SHOW PARAMETER REMOTE_OS_AUTHENT;
  CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
  GRANT CREATE SESSION TO OPS$SOMEUSER;
  For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
  CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
  I really wish Oracle or somebody created a guide or book on how to do this.

• How do I get info from Active Directory and use it in my web-applications?

  I borrowed a nice piece of code for JNDI hits against Active Directory from this website: http://www.sbfsbo.com/mike/JndiTutorial/
  I have altered it and am trying to use it to retrieve info from our Active Directory Server.
  I altered it to point to my domain, and I want to retrieve a person's full name(CN), e-mail address and their work location.
  I've looked at lots of examples, I've tried lots of things, but I'm really missing something. I'm new to Java, new to JNDI, new to LDAP, new to AD and new to Tomcat. Any help would be so appreciated.
  Thanks,
  To show you the code, and the error message, I've changed the actual names I used for connection.
  What am I not coding right? I get an error message like this:
  javax.naming.NameNotFoundException[LDAP error code 32 - 0000208D: nameErr DSID:03101c9 problem 2001 (no Object), data 0,best match of DC=mycomp, DC=isd, remaining name dc=mycomp, dc=isd
  [code]
  import java.util.Hashtable;
  import java.util.Enumeration;
  import javax.naming.*;
  import javax.naming.directory.*;
  public class JNDISearch2 {
  // initial context implementation
  public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
  public static String MY_HOST = "ldap://99.999.9.9:389/dc=mycomp,dc=isd";
  public static String MGR_DN = "CN=connectionID,OU=CO,dc=mycomp,dc=isd";
  public static String MGR_PW = "connectionPassword";
  public static String MY_SEARCHBASE = "dc=mycomp,dc=isd";
  public static String MY_FILTER =
  "(&(objectClass=user)(sAMAccountName=usersignonname))";
  // Specify which attributes we are looking for
  public static String MY_ATTRS[] =
  { "cn", "telephoneNumber", "postalAddress", "mail" };
  public static void main(String args[]) {
  try { //----------------------------------------------------------        
  // Binding
  // Hashtable for environmental information
  Hashtable env = new Hashtable();
  // Specify which class to use for our JNDI Provider
  env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
  // Specify the host and port to use for directory service
  env.put(Context.PROVIDER_URL, MY_HOST);
  // Security Information
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
  env.put(Context.SECURITY_CREDENTIALS, MGR_PW);
  // Get a reference toa directory context
  DirContext ctx = new InitialDirContext(env);
  // Begin search
  // Specify the scope of the search
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  // Perform the actual search
  // We give it a searchbase, a filter and the constraints
  // containing the scope of the search
  NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints);
  // Now step through the search results
  while (results != null && results.hasMore()) {
  SearchResult sr = (SearchResult) results.next();
  String dn = sr.getName() + ", " + MY_SEARCHBASE;
  System.out.println("Distinguished Name is " + dn);
  // Code for displaying attribute list
  Attributes ar = ctx.getAttributes(dn, MY_ATTRS);
  if (ar == null)
  // Has no attributes
  System.out.println("Entry " + dn);
  System.out.println(" has none of the specified attributes\n");
  else // Has some attributes
  // Determine the attributes in this record.
  for (int i = 0; i < MY_ATTRS.length; i++) {
  Attribute attr = ar.get(MY_ATTRS);
  if (attr != null) {
  System.out.println(MY_ATTRS[i] + ":");
  // Gather all values for the specified attribute.
  for (Enumeration vals = attr.getAll(); vals.hasMoreElements();) {
  System.out.println("\t" + vals.nextElement());
  // System.out.println ("\n");
  // End search
  } // end try
  catch (Exception e) {
  e.printStackTrace();
  System.exit(1);
  My JNDIRealm in Tomcat which actually does the initial authentication looks like this:(again, for security purposes, I've changed the access names and passwords, etc.)
  <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
  connectionURL="ldap://99.999.9.9:389"
  connectionName="CN=connectionId,OU=CO,dc=mycomp,dc=isd"
  connectionPassword="connectionPassword"
  referrals="follow"
  userBase="dc=mycomp,dc=isd"
  userSearch="(&(sAMAccountName={0})(objectClass=user))"
  userSubtree="true"
  roleBase="dc=mycomp, dc=isd"
  roleSearch="(uniqueMember={0})"
  rolename="cn"
  />
  I'd be so grateful for any help.
  Any suggestions about using the data from Active directory in web-application.
  Thanks.
  R.Vaughn

  By this time you probably have already solved this, but I think the problem is that the Search Base is relative to the attachment point specified with the PROVIDER_URL. Since you already specified "DC=mycomp,DC=isd" in that location, you merely want to set the search base to "". The error message is trying to tell you that it could only find half of the "DC=mycomp, DC=isd, DC=mycomp, DC=isd" that you specified for the search base.
  Hope that helps someone.
  Ken Gartner
  Quadrasis, Inc (We Unify Security, www -dot- quadrasis -dot- com)

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Link DN with information coming from active directory

  I have setup a Unified CM and IM/presence server. The Unified CM server is connected to LDAP active directory to authenticate the users that login via the Cisco Jabber Windows client. I have configured CSFdevices for each user and created a DN which has the same number as the normal phone line number. The users logging in to the cisco jabber client appears well as reachable in to the client for the other user that are logged in. However when I try to call them (via the number that comes from active directory) this doesn't work. (busy number) When I type the number that I have configured as a DN I succeed to make a connection with a different user.
  Any idea how to link the DN from the CSF softphone with the information that comes from Active directory.
  Any help would be appreciated.

  Forget about application dial rules mate, if you do desk phone control using Jabber, and you dial a person  using that person's telephone attribute in AD, just put a translation pattern in place. That should work.
  that way you can also use DNA for troubleshooting purposes.
  Alternatively, you can populate the ipphone in AD and populate that with the extension that is configured on the phone/CSF device and alter the LDAP atrribute mappings in Presence  (applications>cisco jabber>jabber settings).  but this will not solve your problem if you use like iphones, ipads .
  =============================
  Please remember to rate useful posts, by clicking on the stars below.
  =============================

• Authentication on Active Directory using JNDI (A Proffessional Appraoch)

  I am using following code for getting authenticated on Active Directory by user logon name.
  Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
  thanks in advance
  * Created on Nov 10, 2004
  package auth;
  import java.util.Hashtable;
  import javax.naming.AuthenticationException;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  * @author Tushar Agrawal
  * Created On Nov 10, 2004
  public class UserAuthentication {
       public UserAuthentication() {
            super();
       public NamingEnumeration loginToActiveDirectory(
            String logonName,
            String password,
            String domain) {
            boolean success = false;
            NamingEnumeration attrs = null;
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
            env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
            env.put(Context.SECURITY_CREDENTIALS, password);
            //env.put(Context.SECURITY_PROTOCOL, "ssl");
            env.put("java.naming.ldap.version", "3");
            env.put(Context.REFERRAL, "follow");
            try {
                 String base = "";
                 DirContext ctx = new InitialDirContext(env);
                 SearchControls controls = new SearchControls();
                 controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 controls.setReturningAttributes(
                      new String[] {
                           "sAMAccountName",
                           "userPrincipalName",
                           "displayName",
                           "memberOf",
                           "objectSid",
                           "title" });
                 NamingEnumeration e =
                      ctx.search(base, "sAMAccountName=" + logonName, controls);
                 if (e.hasMore()) {
                      SearchResult r = (SearchResult) e.next();
                      attrs = r.getAttributes().getAll();
                      /*while (attrs.hasMore()) {
                           System.out.println(attrs.next());
                      ctx.close();
            } catch (AuthenticationException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            } catch (NamingException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            return attrs;
  tushar agrawal

  You''l find more info at :
  http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
  http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
  That's the right way to do it.

• Portal Authentication using Active Directory

  I am trying to set up authentication using Active Directory. Can anyone provide me with instructions on what to do ? I know that I have to go to System Admin - > System Configuration - > UM configuration and change the Data Source. What else do I need to do...How do specify which domain to authenticate against. Do I have to change the XML file. Please help.

  It depends on what you wanna do with the AD server. If you want to read/write on the AD then you have to first setup SSL connection between the two boxes.Else if you just want to read from AD server you don't require a SSL connection. Then you have to select the hierarchy type in the System Admin - > System Configuration - > UM configuration. Save.
  Next thing you do is to open the config tool and modify your xml file accordingly.
  And restsart the server.
  Hope this helps.
  Regards,
  Hassan

• Getting a user's primary group from Active Directory

  I'm coding a java web app that should authenticate a user to Active Directory and return his primary group.
  Using JNDI apis I realized the first part (authentication) and functions well but still having problems with the second part (getting the user's primary group).
  Is there somebody who knows/gets some codes for getting this info from Active Directory using java?
  Thanks a lot.
  Regards.
  John.

  I'm coding a java web app that should authenticate a user to Active Directory and return his primary group.
  Using JNDI apis I realized the first part (authentication) and functions well but still having problems with the second part (getting the user's primary group).
  Is there somebody who knows/gets some codes for getting this info from Active Directory using java?
  Thanks a lot.
  Regards.
  John.

• User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013

  User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013 
  I can login with the these AD users and AD direct import is working just fine. We are not using UPS.
  With admin user when I click on the user it shows up proper data. But when I login with the same user it does not show me userdisplay/useredit and shows blank data. Also another strange thing is when I add new item in list with these AD users created by
  modified by is blank and its really strange. I checked user information list, tried to rerun user sync with direct AD import option but no success.
  MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

  Hi Amit,
  According to your description, my understanding is that the page is blank when the use accessed /_layouts/15/userdisp.aspx and the created by field was blank when the user created a new list item in SharePoint 2013.
  I tested the same scenario per your post, however I cannot reproduce your issue.
  For troubleshooting this issue, I recommend to verify the things below:
  Check the permission of the user in the corresponding site collection to see if he can access /_layouts/15/userdisp.aspx.
  Delete the user from AD and SharePoint, then re-add the user to AD and grant proper permission to the user in SharePoint to see if the issue still occurs.
  Did this issue occur with all the users? Add a new user in AD and test the same scenario.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• How to set in Windows 8.1 the Account Picture from Active Directory

  Hello All,
  In my company I have uploaded the photos for
  each employees in
  Active Directory using a powershell script that set the attribute
  thumbnailphoto.
  This is useful for images in Lync and Outlook,
  now I want to use these pictures
  to sync with the account picture
  in Windows 8.1 but I haven't found anything in internet that helps me
  for this.
  I hope someone can help me,
  Thanks!

  Hi,
  You can try the steps in following article:
  Using Pictures from Active Directory
  http://msitpros.com/?p=1036
  This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore,
  Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you
  completely understand the risk before retrieving any software from the Internet.
  For your reference, here is the similar thread with different method:
  http://social.technet.microsoft.com/Forums/en-US/d6e7b2c3-c343-4900-a01d-24bfb30357b6/is-there-a-solution-to-set-user-account-picture-from-active-directory-thumbnailphoto-attribute-in?forum=w8itproinstall
  Hope these would be helpful.
  Kate Li
  TechNet Community Support