EJB call from one domain to another, authentication problem

Two Weblogic servers. WLS A and WLS B. Different domains. Trust relationship between the domains can't be established.
I have an EJB in WLS B and there is a Web Application deployed to WLS A. There are method-permission declarations in the EJB descriptor xml.
Step 1. User authenticates to Servlet in Web Application (WLS A). Authentication is done with Http Basic Authentication.
Step 2. Servlet makes a JNDI lookup to get a handle to the EJB. Handle can not be fetched with the authentication information which was provided by user to servlet. This means that I need to specify a different username and password, which should be used for authentication at WLS B.
Step 3. After getting a handle to the EJB Servlet calls a method of the EJB.
Everything seems extremely simple. And it should be. But no.
At step 2 servlet propagates authentication information from WLS A to WLS B. This authentication information is valid only inside WLS A, not in WLS B. Result: SecurityException: Invalid Subject.
Setting SECURITY_PRINCIPAL and SECURITY_CREDENTIALS to InitialContext while creating it still results in propagation of authentication information. Same exception.
So I tried something else.
Tthe code doing the JNDI lookups and EJB calls was wrapped inside Security.runAs(new Subject(), ....) -block. Authentication information is no longer propagated to WLS B. So JNDI lookup succeeds, excellent!
But we only got one step further. Now we still need to make the call to EJB method at step 3.
Now that EJB method call results in Security Violation: User: <anonymous> has insufficient permission to access my method.
It's a bit strange, because username and password (for WLS B) were provided for InitialContext while creating it. If the password is invalid, the InitialContext can't be created. So it seems that atleast the username and password ARE checked at WLS B.
Any help and/or suggestions would be highly appreciated.
Here is a misc list of some misc wondering:
-Step 2. Should we make the JNDI lookup to JNDI tree of WLS A instead of WLS B. If we do so, then we should use ejb-ref's at web.xml. This was also quickly tested with no results.
-Would run-as-identity (or some similar element) help? Maybe we could set up some Credential Mapper to WLS A, which would provide username/password when making calls to EJB's of WLS B. Documentation about Credential Mappers seems to be quite useless.

There was a time, and it was quite some time ago when something similar was tried and it didn't meet with much success. Sure, it may not have been Domain files, it may have been something more like, say, rocks, but the general principle still applies. If you look at the XML and media parts that make up a Domain file, you can think of those pieces as analogous to the atoms in your average run-of-the-mill rock. Though the atoms in two given average run-of-the-mill rocks may seem quite similar, and cracking them open reveals innards that are almost entirely, but not quite, the same, it's still quite difficult to make one whole rock out of the two.
Now, some say alchemists might be able to accomplish this quite daunting task, but, until a study of use for Domain files (perhaps XMLchemy?) is initiated and studied most earnestly, we shall probably remain unable to bring about the union of one Domain file and another. Or were we talking about the rocks? (You can't melt Domain files, can you? The thought just hit me is all...)
How's that for a long answer?

Similar Messages

  • HT204380 How can I make a face time call from one country to another( supporsing both parties using iphone 4s). What will be the caller charges. If there is no charges as we use wifi, will there be a charge till connecting the call?

    How can I make a Face Time call from one country to another( supporsing both parties using iphone 4s). What will be the caller charges. If there is no charges as we use wifi, will there be a charge till connecting the call?

    FaceTime is free to use. You will not be charged for using FaceTime.

  • Powershell Copy User Description from one Domain to another in one Forest

    Hi.
    I would like to copy the Description field from one domain to another domain in the same forest.
    First I would like to get the following data from source domain
    - SamAccountName
    - Description
    - Office
    - Job Title
    - Department
    - Manager
    I would like to get these informations to a txt-file. That I can manage myself, I think.
    These values shoud then be set on the destination domain - and here my powershell skills are not suffecient. How do I add these values from txt-file to existing users? (if some users aren't there, the script should continue)....
    I can Get-AdUser -Identity xxx -Server sourcedomain and Get-AdUser -Identity xxx -Server destinationdomain from the same powershell windows.
    Regards
    Carsten
    Carsten

    Hi. Thank you very much for helping me out. I tried the above script and added in additional properties.
    When I run the script, I only get one line in my csv-file, the Office-field is empty and all items appear on screen instead of output to file.
    The script looks as follows:
    $ou = [adsi] "LDAP:<Server>"
    $searcher = New-Object System.DirectoryServices.DirectorySearcher $ou
    $searcher.Filter = 'objectClass=user'
    $result = $searcher.FindAll()
    foreach($contacts in $result)
     $contact = $contacts.GetDirectoryEntry()
     $contact | Select-Object -Property @{Name="SamAccountName";Expression={$_.SamAccountName}},
               @{Name="Description";Expression={$_.Description}},
               @{Name="Office";Expression={$_.Office}},
               @{Name="Title";Expression={$_.Title}},
               @{Name="Department";Expression={$_.Department}},
               @{Name="Manager";Expression={$_.Manager}}
    $contacts | Export-Csv -Path output.csv
    Carsten

  • What's the best way to transfer (not forward) a call from one iPhone to another?

    What's the best way to transfer (not forward) a call from one iPhone to another? Is there an app available that does this? I'm asking about receiving a call, then transferring that caller to another iPhone on a separate number and then disconnecting while those two users are joined up in a conversation.

    Ask your carrier. This would be a feature provided by them.

  • How to migrate Distribution list from one domain to another within same forest

    team,
    we are in the process of migrating all users mailbox, DL and contacts from one domain to another within a same forest.
    can some one please let me know how can we migrate them without loosing the group membership and exchange attributes.
    Kindly help.
    Srinivasa K

    I ran all of them 
    First Command , it works very well and its removed the exchange attribute
    $DomCtrlr = (Dir env:Log*).Value.Replace('\','')
    Get-MailContact -OrganizationalUnit Contacts -DomainController $DomCtrlr | Export-Csv E:\MailContacts.csv
    Get-Contact -OrganizationalUnit Contacts -DomainController $DomCtrlr | Export-Csv E:\UserContacts.csv
    Import-Csv MailContacts.csv | Disable-MailContact -DomainController $DomCtrlr
    Second command
    $DomCtrlr = "DCNAME"
    $MailContacts = Import-Csv E:\MailContacts.csv
    $UserContacts = Import-Csv E:\UserContacts.csv
    after running the above command, I copied below on note pad and saved as .PS1 , as per your advise I make sure that starting with new-mailcontact and below 2 are is same line and Executed the ps1 script.
    Scipt rans but didnt give me any error mesage.
    ForEach ($Contact in $MailContacts) {
        $UserContacts | ? { $_.SamAccountName -eq $Contact.Alias } | % {
            New-MailContact -DomainController $DomCtrlr -LastName $_.LastName -FirstName $_.FirstName -Alias $_.SamAccountName -DisplayName $_.DisplayName -Name $_.Name -ExternalEmailAddress $Contact.ExternalEmailAddress -OrganizationalUnit
    Test_con    }
    By Running
    $MailContacts : it provided the stored value for users
    $UserContacts: it
    provided the stored value for users
    after runing below in  single notepad as .ps1 , not getting error message , but its not giving any
    output nor error.
    suspecting something needs to b checked on for loop
    ForEach ($Contact in $MailContacts)  {
        $UserContacts | ? { $_.SamAccountName -eq $Contact.Alias } | % {
            $_
    Hope this explained clearly.
    Srinivasa K

  • RFC Call from one server to another

    Hi,
    Is it possible to use an rfc from one server to another on the same network?
    My Idea was that we can do so, however there's a little confusion about the same .
    Please clarify.
    Regards,
    Vikas

    Hi,
       call SE37 and search for RFC* with F4.
    Sending system side(SEND--800)
    Create function module by using Tcode SE37 or SE80
    goto attributes select remote function
    activate
    Receiving system side(RECE--000)
    goto Tcode SM59
    here select the R/3 Connections-->click on Create Button
    give RFC Desstination : TESTRFC
    Connection Type : 3 for Connecting two systems
    Description : Some meaningful Description
    Press enter
    give Target system Name : SEND
    Language : EN
    Client : 800
    user Name : sapuser
    Password : xxxxxx
    save this connections & click on test connections(f8)
    & Remote logon(f7)---> it will open a session
    with client 800 that is your sending system
    then only your RFC is correct
    create a report in SE38 Tcode
    data : c1 type i.
    data : itab like mara occurs 0 with header line.
    call function 'ZRFCFM' destination 'TESTRFC' --->Function Module 'ZRFCFM' your just create at Sending system
    exporting
    importing
    exceptions
    <b>Reward points</b>
    Regards

  • AD Migration from one domain to another domain between different Forest.

    Dear Team,
    We have a domain named "test.gov.in" .Now we want migrate all the users,computers,groups,GP ....etc in to our new domain "abc.net".Operating system of the source DC and destination Dc is same (Windows 2003 32 bit)..
    Pls provide me the steps to migrate one  domain to another domain between different forest
    Thanks
    Anurag

    Would agree with Christoffer and migrate using ADFS but before you can do this you will need to set up a trust between the two domains.  Once this has been accomplished then you can run ADMT.
    http://technet.microsoft.com/en-us/library/cc740018(v=WS.10).aspx
    Downloading ADMT is a free tool from Microsoft
    http://www.microsoft.com/en-us/download/details.aspx?id=8377
    ADMT Guide
    http://www.microsoft.com/en-us/download/details.aspx?id=19188
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.
    I think you mean ADMT and not ADFS :)
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • Exchange Migration from One domain to another domain on same forest

    Team, 
    we are in the process of migrating exchange infrastructure from one child domain to another child domain within same forest.
    root domain - root.com
    child domains - US.root.com and EMEA.root.com
    EMEA and US Domains setup are different from each other. Like EMEA has different email address policy , Email Flow than US , connectors etc.
    Now we need to migrate all emea users under US Domain. based on the geographical locations, we are building a new dc, mailbox , cas servers on EMEA location , but these servers will be part of US Domain.
    for CAS Servers - we are planing to register respective sites ( site affinity), so all the local requests will be handled by new cas server which is built under US Domain.
    Mailbox Servers - we would be creating new db's and the limits  on new mbx server and going to replicate as its on EMEA Mailbox server.
    can some one please let us know what are the precautions , recommendation, sequence which we need to follow to perform smoother migration. as of now , I can think of below topics.
    Mailbox Migration  -I  Have a script , which
    will take care of mailbox movement once the objects are being moved.
    Contacts Migration - Willard Martin blog helped me to perform migration
    DL Migration - I believe there is no mechanism to migrate DL. only option is to recreate.
    Email address Policy:we would be creating a new address policy and apply to OU's
    DB Consistency check – do we have to perform the health checks on source mailbox server to see , the servers are free from errors /corruption.
    Check outlook configuration - After the migration, we need to check and see , the exchange server/ auto discover works and identify the new exchange servers.
    Internal /External Email flow.- 
    Active Sybc , OWA
    Public folder Migration -
    Offline Address Book
    Certificates
    any help or suggestions would be great.
    Srinivasa K

    Hi Srinivasa,
    According to your description, I think you have done all the preparation.
    For DL migration, the following article may give your some hints:
    How to Migrate Distribution Groups Across a Forest
    Good Luck!
    Niko Cheng
    TechNet Community Support

  • From one domain to another....

    If I have 2 domain files with different sites in each, Is it possible to copy site A from Domain A to Domain B?
    I know the short answer is no, but is there peerhaps a long answer...?
    cheers,
    s

    There was a time, and it was quite some time ago when something similar was tried and it didn't meet with much success. Sure, it may not have been Domain files, it may have been something more like, say, rocks, but the general principle still applies. If you look at the XML and media parts that make up a Domain file, you can think of those pieces as analogous to the atoms in your average run-of-the-mill rock. Though the atoms in two given average run-of-the-mill rocks may seem quite similar, and cracking them open reveals innards that are almost entirely, but not quite, the same, it's still quite difficult to make one whole rock out of the two.
    Now, some say alchemists might be able to accomplish this quite daunting task, but, until a study of use for Domain files (perhaps XMLchemy?) is initiated and studied most earnestly, we shall probably remain unable to bring about the union of one Domain file and another. Or were we talking about the rocks? (You can't melt Domain files, can you? The thought just hit me is all...)
    How's that for a long answer?

  • Can I switch a Factime call from one device to another?

    I would like to know if there is a way to pick up a Facetime call on one device and then switch it mid-call to another device, in the same way one is able to put down one extension and pick up another in mid-call to transfer it to another handset on a landline?
    Thanks!

    Do you mean Re- download...?
    If so, see here... Download Past Purchases  >  http://support.apple.com/kb/HT2519

  • File associations are lost when user account is migrated from one domain to another domain (SID changes)

    Hello,
    Currently we are in the middle of a migration project. We are migrating users from child domains to the root domain of one organization.
    The user accounts are migrated with powershell using Move-ADObject cmdlet. This works as expected. The SIDHistory attribute is updated correctly.
    Recently we received complaints from some *migrated* users - they lost their default/custom file associations. This happens only on Windows 8/Windows 8.1.
    What happens:
    the user is migrated and logs on
    her profile loads and everything's preserved (as expected)
    the user clicks on a .jpeg file (previously associated with program XYZ)
    OS asks the user to choose a program to open the file with
    the user chooses a default program XYZ and the file opens
    when the user clicks on a .jpeg file again - OS asks to choose a program again
    i.e. the settings are not preserved.
    Our investigation shows that it is connected with the UserChoice registry key and the HASH value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SomeExt
    According to this blog 
    the HASH is calculated based on user's SID. But after the migration the user has new SID and the HASH becomes invalid and we hit this:
    "However In Win 8, the registry changes are verified by a hash (unique per user and app)  that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry."
    Currently deleting the UserChoice key for all associations solves the problem. But the user has to make all her customizations again which is undesirable.
    Is there any supported way to fix this? Why the OS doesn't update the HASH after the first logon when the SID has changed as it updates the SID for the ProfileList key? 
    This could become big issue in large migrations.

    Hello Petar K. Georgiev,
    Please check the following article to change the registry key to change back to the default file type associations.
    http://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html
    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Fangzhou CHEN
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Webservice call from one application to another application

    Hi all,
    I am new in ADF and using jdeveloper version 11.1.1.0.0. Now I am working in an application where my steps are as follows,
    i have two application take as App1 and App2 .i want to make a webservice call from App1 to App2 . through this webservice call i will pull the data from App2 and populate the data inside a .jspx file.
    i am not understanding how i will do that.
    please give your useful comments.

    Hi,
    i have two application take as App1 and App2 .i want to make a webservice call from App1 to App2 . through this webservice call i will pull the data from App2 and populate the data inside a .jspx file.
    i am not understanding how i will do that.
    A service wont allow you to access the live instance of an application and instead create its own data session. So while you can query data that belongs to App2, you wont be able e.g. to access a users uncommitted data changes
    Frank

  • I have migrated a user's mysite in sharepoint 2013 from one domain to another.The issue is that old activtiy data i.e newsfeed data is not seen

    For eg :
    I had a user called domain1\user1 whose mysite was created as http://my/personal/user1.
    Now this user moves to another domain say domain2\user1.Since mysite is already present no new mysite will be created.
    Move-SPUser –Identity "domain1\user1" –NewAlias "domain2\user1"After executing the above query,user is migrated and is able to login to the mysite.But the newsfeed data is not seen.I can see it in the microfeed list but not in the newsfeed page.All other data like documents ,tags,people etc is present
    harsh damania

    it should move all the profile data alonwith, i would check the ULS logs for any clue.
    also make sure following timer jobs ran successfully
    User Profile service application name - User Profile to SharePoint Quick Synchronization
    User Profile service application name - Feed Cache Repopulation
    User Profile service application name - Activity Feed Job
    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

  • Migrating users from one domain to another(Interforest)

    Scenario- Two Domains A & B in two different forests.
    A - holds exchange server in DMZ and 2 domain controllers in A used by exchange also in DMZ
    B holds all users and computers and 2 Domain controllers used for authentication .
    Now I want to migrate all users and computers  in B domain to A domain using ADMT
    My question here is
    1. Can I use the DCs used by exchange to authenticate if I migrate users and computers from B to A.
    2. If not what is the work around here. I want to build  an action plan on this.

    After the migration users will be in Domain A.  Authentication will happen locally in Domain A using Domain A DCs.   Make sure you have correct DNS server (DNS from domain A) for these workstations. 
    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
    Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
    Blogs: Blogs
    Twitter: Twitter
    LinkedIn: LinkedIn
    Facebook: Facebook
    Microsoft Virtual Academy:
    Microsoft Virtual Academy
    This posting is provided AS IS with no warranties, and confers no rights.

  • Moving Folder Redirect from one Domain to Another on Different Servers

    We are in the process of putting in a new server; Win Server 2008 R2, and creating a new domain for a client. We need to move the folder redirect from the current server (server1.currentdomain) to the new server on the new domain (server2.newdomain). We
    want to keep the UNC on the client PC's the same. The SAM file will be rewritten.
    What is the best way to go about this?
    What potential security/rights issues can we prepare for?
    Thanks.

    Hi,
    As you said the NTFS permission could be an issue if we move Folder Redirection to another domain.
    Generally users should be the owner of their own redirected folders. However as folders are moved to a different domain, all permissions for user accounts in old domain will not be recognized.
    In this situation you can try to set folder redirection policy in new domain first so that folders will be created - remember uncheck the settings of "Grant the user exclusive rights" so that domain admins still have permissions on these folders.
    Then you can copy files from old server "into" these created folders.
    If you have any feedback on our support, please send to [email protected]

Maybe you are looking for