Enable Kerberos Authentication for OWA only

Similar Messages

• Configuring Kerberos authentication for SSRS in native mode - SSRS 2008 R2-2012

  Hi,
  I've a SSRS native mode installation on a server and a SSAS installation on another server.
  In order to configure the Kerberos authentication for SSRS native mode, I need to register one SPN for the report server service, one SPN for SSAS service and to configure SSRS to use the negotiate authentication type, isn't it?
  Thanks

  Hi pscorca,
  If we have applications that only use Kerberos authentication and we are using RSWindowsNegotiate AuthenticationType, we must create a Service Principal Name (SPN) for the Report Server service if we configure it to run as a domain user account.
  Before setting up constrained delegation, we must register a
  Service Principle Name (SPN) for the Analysis Services instance. We will need the Analysis Services SPN when configuring Kerberos constrained delegation for middle tier services.
  There is a document about Enabling Kerberos Authentication for Reporting Services, you can refer to it.
  http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx
  Hoe this helps.
  Regards,
  Alisa Tang
  Alisa Tang
  TechNet Community Support

• Regarding Kerberos authentication for webservices.

  Hi,
        I need to use kerberos authentication for my receiver webservice.  I am working in PI7.1 . Which adapter I can use for this ( WS-RM adapter or SOAP adapter) and How to configure it for kerberos. I mean, which value of authentication parameter refers to kerberos authentication.
  Regards,
  Reyaz hussain

  Hi Reyaz,
  To tell you frankly i never come across this kerberos protocol but since you would like to use there is certainly a chance after the launch of PI 7.1. The launch has Opened the Door to the World of Web Services Reliable Messaging.  "The Integration Directory enables you to easily configure scenarios where the Integration Server acts as a message hub between WS-RM-enabled applications and any other application or technical system. Thus, you can configure scenarios where either a Web Service client calls the Integration Server and the message is then routed to any other application, or the other way around where any application calls a Web Service provider via the Integration Server. In the Integration Directory you can do the complete configuration of the Integration Server inbound or outbound processing."
  https://www.sdn.sap.com/irj/scn/wiki?path=/display/profile/2007/07/25/new+news&focusedcommentid=44360
  Regards
  joel

• How to enable LDAP authentication for APEX

  How do I enable LDAP authentication for APEX 4.2? Thank for your help.
  Kevin

  you need to create new authentication based on predefined LDAP authentication from shared components => Authentication
  and provide your company LDAP authentication credentials

• Kerberos Authentication for EP 7.0 Portal

  We are implementing Kerberos Authentication on our EP7 Portal. In our landscape we have
  2 main domains (US & INTL). In each of the domain we have several domain controllers (more than 10 each). We had the following queries:
  1) We have a mix of domain controllers running on win 2000 and win 2003. Will this cause any issue with the SPNego configuration?
  2) Since we have more than 10 DCs in each domain do we need to add all the DCs as KDCs in the step 2 of SPNego wizard?
  System Details
  1) Portal Version à EP7 SP13
  2) Operating System à SunOS (sparcv9) 5.9
  3) LDAP à MS ADS
  4) DB à Oracle 10.2.0.2.0 - 64bit
  Thanks.

  Hi Lisandro,
  For Q1:  I don't think there should be a problem with the mixture of DCs types.
  For Q2: You only need to configure one DC in the wizard (a W2003 server may be the best choice). This is just the DC that the wizard talks to during configuration.
  Hope this helps,
  Darren

• Enable Custom Authentication for License Server for Packager Server

  How to enable processing of Custom Authentication for License Server for Packager Server?
  Please give examples.

  If I understand your question, you want to use the Flash Access Manager and/or the Watched Folder Packager (both are components of the Reference Implementation) to package content for a license server that uses Custom Authentication. To accomplish this, you need to use the Flash Access SDK to create a policy that specifies Custom Authentication is used.  For example:
  Policy pol = new Policy(false);
  LicenseServerInfo licServer = new LicenseServerInfo(AuthenticationType.Custom);
  pol.setLicenseServerInfo(licServer);
  // set rights and other policy attributes
    Once you create the policy, place the policy file on the Packager Server, and you can use this policy to package content.

• Kerberos Authentication for Oracle 9i ODBC

  Hi,
  I want to connect to Oracle 9i database through ODBC with Kerberos Authentication. Can any one able to provide some document/Sample Code/Web Resource ???
  Thanks,
  Zahir

  Hi,
  I want to connect to Oracle 9i database through ODBC with Kerberos Authentication. Can any one able to provide some document/Sample Code/Web Resource ???
  Thanks,
  Zahir

• Kerberos authentication for Excel Services

  Hi,
  I am configuring Keberos for Excel Service Application and facing some issue. Things i have done so far:
  Configured web application to use Kerberos: Verified it from server authentication logs, klist and net mon that web application is using kerberos.
  Excel service Account: domain\ExcelSVA
  SQL server service account: domain\SQLSERV
  C2WTS account : domain\C2wts
   set spn on in using setspn - s sp/excelservices domain\ExcelSVA and delegated constarined authentication to domain\SQLSERV
  then setspn - s sp/c2wts domain\C2wts and delegated constrained authentication to domain\SQLSERV.
  C2WS account has impersonate identity ,logon as service and act as part of OS rights in app servers where excel and c2wt are running 
  Now when i try to refresh data i get error :The data connection uses Windows Authentication and user credentials could not be delegated.
  The following connections failed to refresh: SQLServername port, databasename
  http://technet.microsoft.com/en-us/library/ff487975.aspx
  First 3 errors don't apply to me since i cant see these errors in SP log files and my sharepoint and database servers are in same domain.
  For UPN, there is a email id assoisated with account that i am using and i have been using that email id to logon to other services in my company so UPN should be done too.
  The Excel Services service account must have Active Directory permissions to query the object. Now this got me confusing. Where do i actually
  give this? In sql server or AD? Which object does it need to query? The excel database in sql server. If it is so, then the permission needs to be granted on sql .
  Also this link http://social.msdn.microsoft.com/Forums/en-US/99a3cf4f-dabc-4ac9-9ea8-afa677199ffa/kerberos-and-excel-services?forum=sharepointgeneralprevious
  Microsoft solution described here is weired. I don't think sql server has c2wts or excel service application started on it. And from drop down list that is i don't know what is the solution talking of.
  Does any one have any idea if i am missing any delegation or any step?
  sachin

  Any idea??
  sachin

• Kerberos Authentication Failure for POP3 After Upgrading to 10.6.5

  So I just upgraded from 10.6.4 to 10.6.5 and now Kerberos authentication for POP3 from Mail fails. Kerberos authentication for SMTP outgoing mail is just fine, it's only POP3 incoming mail that fails to authenticate. POP3 Kerberos authentication still works fine for the same account from another machine running 10.5.8. The mailaccess.log file contains the following:
  Nov 23 15:36:59 server master[423]: about to exec /usr/bin/cyrus/bin/pop3d
  Nov 23 15:36:59 server pop3[423]: executed
  Nov 23 15:37:00 server pop3[423]: accepted connection
  Nov 23 15:37:00 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
  Nov 23 15:37:04 server pop3[423]: badlogin: FQDN [192.168.0.4] GSSAPI
  Nov 23 15:37:04 server master[52]: process 423 exited, status 0
  The server is running Mac OS X Server 10.4.11 and cannot be upgraded any further than as it is ancient hardware.
  Any thoughts?
  Cheers,
  Derek

  Makes perfect sense to me that ending one session by logging out enables him to begin a new session by logging back in. I give the young man credit for figuring out how to get around this deficiency in Parental Controls, as, deep down, I'm sure you do, too.
  If you can't trust him to stick to his agreed upon half an hour a day, you can always (threaten to) lock him out of the computer for 23.5 hrs/day using the Bedtime settings. ; )

• Configuring WACS for AD-kerberos Authentication in XI 3.1

  Hi,
  Installed WACS (WebApplication Container Server) and trying to configure CMC hosted on it, for AD-Kerberos authentication in XI 3.1.Followed all the steps inu201D XI 3.1 admin guideu201D but when trying to login to CMC using Kerberos authentication getting the error u201CAccount Information Not Recognized: Active Directory failed to log you onu2026u201D
  Then installed Tomcat on the same machine and deployed Infoview and CMC on it. Able to login to CMC and Infoview hosted on tomcat using Kerberos authentication, but still Kerberos authentication is failing with WACS.
  Also enabled Kerberos logging for WACS, by adding the command line parameters
  u201C-Dcrystal.enterprise.trace.configuration=verbose
  -Djcsi.kerberos.debug=trueu201D
  But not getting any useful from WebApplicationContainerServer_stdout.log.
  Could you please suggest me know how to proceed here.
  Regards,
  Saikrishna.

  Hi Tim,
  Yes. Did put the paths for krb5.ini and bscLogin.conf in the properties section of WACS.
  Tried deleting the WACS server (Right click and u201CDeleteu201D the server)->Created the server again from Home->Servers->Core Services->Manage->New->New server.
  But getting the same issue, able to login to WACS with enterprise authentication but AD is failing. Anything else I may need to check?
  Regards,
  Saikrishna.

• How to enable pin authentication features for hp laserjet 9050dn printers for all users?

  There Is A requirement to Enable Pin Authentication for all the users . We have hp laserjet 9050dn  Pinters
  We would Like to Save Papper hence wanted to enable this feature to all our printers.
  We would like to enable Pin authentication for all the users so that when a user fire a print out it would be in queue and when the user enters the PIN manually on the printer it would print and if the user doesnt require the pintout that he fired he dosent have to entr the PIN. Thus  End of the day all such  unrequired prints that were fired out will be in queu and they will be deleted end of th day.
  Thus we could save lots of Paper ..
  Can Some one Help Me to get this done...... Please post you Comments It Would be really Helpful....

  The product you have seems to be a commercial printer. For the best chance at finding a solution I would suggest posting in the forum for HP Business Support!
  You may find the Commercial Laserjet board here.
  http://h30499.www3.hp.com/t5/Printers-LaserJet/bd-p/bsc-413
  You can also find the article related to this product here:
  http://h20000.www2.hp.com/bizsupport/TechSupport/Home.jsp?lang=en&cc=us&prodTypeId=18972&prodSeriesI...
  (User manual, troubleshooting tips, drivers, and more info)
  Hope this helps!
  Help the community by marking this post as a solution if it solved your issue!.
  If my post helped you in any way, please click the blue KUDOS star under my name! It would mean a great deal.

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• Using Kerberos authentication on Forms and Reports version 11.1.2

  Hi
  I have configured Kerberos authentication for Forms on the server and it works fine, but I cannot get it to work for Reports.
  When I access the database for Forms I use a connect string that looks like this: /@tns_name The Forms server is running using a domain user and the database user is externally identified. It just works.
  I have tried the same for Reports but it is not accepted. In the URL I have written userid=/@tns_name and the Reports server then asks for user id and password with a pre filled tns_name. I have tried to put the userid parameter in cgicmd.dat but the result is the same. Even enabled SSO in rwservlet.properties using singlesignon>yes</singlesignon> but it just do not work.
  I have bounced the server every time I have made a change to be absolutely that the changes had taken effect.
  The question is: How do I tell the Reports server that I do not want to apply user id and password but just the tns_name, like /@tns_name
  I know Kerberos authentication is not an area that is well known and I have spent hours over the years to find out how to make the configuration work.

  Questions regarding version compabilities come up quite often, yet the answer is still the same: have a look at the certification matrix http://www.oracle.com/technetwork/developer-tools/forms/oracle-forms-11gr2certmatrix-519680.xls
  for installation instructions on your chosen platform have a look at the installation manual: http://docs.oracle.com/cd/E24269_01/doc.11120/e23960/toc.htm
  What do you plan to do with SOA suite? This isn't needed for forms&reports.
  cheers

• Reg Re-authentication for Tcode access

  Dear All,
      I want to enable Re-authentication for certain tcode access in my SAP ABAP system. The SAP as such supports this with the SSF settings. I have the SSF working but am not sure how to enable the particular tcode for Re-authentication.For example i have created a z code zAl08 out of Al08 for test purpose.When an user tries to access zAL08 he should be asked to give his credentials for authentication and then should be able to access the tcode.
  1.Is this possible. (am already using a Security product working properly in my environment)
  2.How to configure(Steps) the zcode for enabling Re-authentication?
  Regards,
  Karthik

  Basically, what I said was:
  function auth_check_tcode.
  ""Lokale Schnittstelle:
  *"  IMPORTING
  *"     VALUE(TCODE) LIKE  TSTC-TCODE
  *"  EXCEPTIONS
  *"      PARAMETER_ERROR
  *"      TRANSACTION_NOT_FOUND
  *"      TRANSACTION_LOCKED
  *"      TRANSACTION_IS_MENU
  *"      MENU_VIA_PARAMETER_TRANSACTION
  *"      NOT_AUTHORIZED
  Dieser Funktionsbaustein dient als reine Kapsel für den C-Call
  auth_check_tcode und ist daher im Gegensatz zu authority_check_tcode
  nicht für die Prüfung vor dem Call Transaction gedacht, sondern für
  die Fälle, in denen ein Start Transaction geprüft werden soll,
  z.B. in der SE93.
  authority_check_tcode berücksichtigt wie der Kernel die per SE97
  pflegbaren Einträge in der Tabelle tcdcouples.
  Berechtigungsprüfung
    call 'AUTH_CHECK_TCODE'
         id 'TCODE' field tcode.
    if sy-subrc = 0.
    auth_check_tcode enthält die Prüfungen von tcode_executable,
    daher im OK-Fall keine Aufruf nötig.
    else.
      perform tcode_executable using tcode.
    Keine Berechtigung für Transaktion &
      message i077(s#) with tcode raising not_authorized.
    endif.
  endfunction.
        FORM tcode_executable                                         *
  -->  TCODE                                                         *
  form tcode_executable using tcode.
    call 'DY_CHECK_TRANSACTION'
      id 'TX' field tcode.
    case sy-subrc.
      when 0.         " Alles ok, return
      when 1.         " Parameter Error
        message i274(00) raising parameter_error.
      when 2.         " Transaktion nicht gefunden
        message i343(s#) with tcode raising transaction_not_found.
      when 3.         " Transaktion gesperrt
        message i348(s#) with tcode raising transaction_locked.
      when 4.         " Transaktion ist Bereichsmenü
        message i037(oz) with tcode raising transaction_is_menu.
      when 5.         " Bereichsmenü via Parameter-Transaktion
        message i350(s#) with tcode
                         raising menu_via_parameter_transaction.
      when 6.   " Nicht berechtigt; vorgesehen, aber nicht implementiert
        message i077(s#) with tcode raising not_authorized.
    endcase.
  endform.                    "tcode_executable
  </pre>
  Sorry, the comments are in German. But as you can see, there is no exit and the checks are in the kernel only.
  My hat is safe...
  Cheers,
  Julius
  Edited by: Julius Bussche on Jul 29, 2009 5:55 PM

• How to enable S/MIME in OWA MS Exchange 2013?

  Hello,
  I can't find in ECP for MS Exchange 2013 function to enable S/MIME for OWA. Can somebody help me? I found only registry update for MS Exchange 2010 SP1 or download S/MIME function for IE7+ for MS Exchange 2010, but I am not sure if I can use it for 2013.
  Thank you,
  Pavel Hula

  As Martina has pointed out, no S/MIME support in 2013 yet!
  Rajith Enchiparambil |
  http://www.howexchangeworks.com |