Establish Windows NT authentication

Similar Messages

• Windows Native Authentication with 2 (multiple) AD domains

  I have managed to get Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Windows working. The following has been done and works in a test environment:
  Phase 1) Active Directory (AD) to Oracle Internet Directory (OID) Synchronization
  Phase 2) Configure a Kerberos Service Account for the Single Sign-on
  Currently all the above setup points to a single windows active directory server, i.e. active1.uk.oacle.com. This is acceptable for a test environment, but before the changes can be deployed to production I need to incorporate some disaster recovery.
  The active directory is replicated across multiple servers – i.e. active1.uk.oacle.com, active2.uk.oacle.com. In the event that the primary active directory server is unavailable Oracle users should still be able to access applications. I need to incorporate active2.uk.oacle.com into the above setup.
  Questions:
  1)Can I get away with not incorporating active2.uk.oacle.com into phase 1. If the users have been pulled into OID then we are not particular concerned with pulling in new users in a disaster situation.
  2)Can I configure the Oracle side of the Kerberos setup to use multiple realms with an order or precedence – i.e. try active1.uk.oacle.com, then try active2.uk.oacle.com. I would generate a keytab file from each server.
  Ideally I would like to just modify the Kerberos setup to check active1.uk.oacle.com then active2.uk.oacle.com. Is this a workable approach? If yes how do I proceed? I believe the krb5.ini and opmn.xml need to be amended.
  Thanks

  Does anyone have any ideas on how to do this????

• Windows domain authentication on Oracle Secure Global Desktop

  Hello,
  I made an upgrade of my oracle secure global desktop 4.62 version to 5.1 version.
  The problem is, I was using Windows Domain Authentication in 4.62 and this kind of authentication is not available in the 5.1 version.
  So now, my users cannot log in the application.
  Do you have a solution ?
  Thanks

  What are you authenticating to specifically?  An AD server?  Are you using any of the supported authentication mechanisms now supported?
  http://docs.oracle.com/cd/E41492_01/E41495/html/sgd-authentication.html#system-authentication-mechanisms-table

• Windows Integrated Authentication on an ABAP data source

  Dear Experts,
  I have to implement Windows Integrated Authentication in my portal. By using Kerberos & SPNEGO, we can implement very easily if portal user id & windows (ADS) user id is same. But my scenario is windows id & portal id is different & data source is already configured as ABAP. Can you suggest me how we can achieve this requirement.
  Regards,
  VENU

  Hi,
  isnt the property krb5principalname used to define the mapping of the user ID when you cannot use the AD standard samaccountname?
  I think that the mapped user ID (as provided by krb5principalname) must be identically with the ABAP userID. When the ABAP user ID isn't present in the LDAP information, SSO won't be possible. Somehow he needs to publish the ABAP user ID into the AD.
  SAP Help:
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c363ac31e30f3e10000000a11466f/frameset.htm
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
  br,
  Tobais

• Prerequisites for Using Windows NTLM Authentication

  Hi,
  One of the prerequisites for using Windows NTLM Authentication, mentioned on help.sap.com documentation, is:
  - The user’s Web browser must be a Microsoft Internet Explorer
  This means that users not using Internet Explorer can’t authenticate using other web browser (Firefox and Netscape).
  In PAM, SAP says that web browser based on mozzila 1.7.x is also supported, and from this version on, Firefox and Netscape, both, support NTLM.
  NTLM Authentication in portal, still be supported with IE web browser?
  Thanks and Regards,
  Paul

  Hi Paul,
  I suspect that although it may not be officially supported, it will work.  The main thing is that a frontend web server perform the NTLM authentication and pass the header variable back to the J2EE engine.  By the time the header gets back to the J2EE engine, I dont think the portal has any idea how the header REMOTE_USER was generated, just that it was.
  Not positive though, as I havent tested the scenario you describe below..just thought I'd throw in my two cents.
  Marty

• Windows Native Authentication from Windows 7

  Has anyone successfully tested SSO with Windows Native authentication from a windows 7 client ?
  I have a working setup with SSO on OID 10.1.4.3 but with windows 7 client I get the fallback login prompt instead of automatic login.
  I have got a workaround from support but it still does not work:
  - on the client Windows7 PC to to PC security policies (Policies -> Network Security -> Configure encryption types allowed for Kerberos) and select all of them EXCEPT the “Allow future types” option;
  - change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3 (please take a backup of the registry settings before any change).
  Thanks // Kerstin

  Apply patch 6915917 solves the problem

• Over-ride Windows NT Authentication

  Hi All,
  I want to know something about Windows NT Authentication.
  What is the URL when the user is directly logged in to the Portal. Can I parameterize the URL. Is it possible to override the Windows NT Authentication by giving the user parameter in URL. If yes, then what should be the user parameter.
  Regards
  Nikhil Bansal

  Hi,
  Check the below link it will be useful....
  http://help.sap.com/saphelp_nw04/helpdata/en/a3/e5a0404dd52b54e10000000a1550b0/frameset.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ee62e690-0201-0010-a480-870c17642aac
  http://help.sap.com/saphelp_nw04s/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm

• Login error with windows AD authentication in IDT (Infomation Desugn Tool)

  HI,
  In IDT (Information Design Tool) I was not able to publish objetcs ( OLAP connections, Business View layer etc) to corresponding repository using windows AD authentication, but with enterprise I was able to do so.
  With the same AD authentications I was able to open universe design tool, BI launch pad .
  Please advise how to correct
  Error----
  Error:
  Failed to log on host com.crystaldecisions.sdk.exception.SDKException$SecurityError: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
  cause:java.lang.SecurityException: Unable to locate a login configuration
  detail:Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) Unable to locate a login configuration
  Cause of Error:
  Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
  Error----
  Thanks in advance
  Regards
  Krishna

  Had the same problem and found note '1588487 - Active Directory authentication failed with InfoDesignTool'
  Problem solved for me.

• Web Dispatcher with Windows Intgrated Authentication

  Hello,
  We are setting up the relay of Browser ==> IISProxy ==> Web Dispatcher ==> Cluster.  We plan to use Windows Integrated Authentication and terminate the SSL connection at the IIS.  We are wondering how smoothly this will go as we have read differences in the order between IISProxy and WebDispatcher (in these forums) and have found nothing on the combination with SSL.  I assume that the IISProxy will encrypt, authenticate, provide the cookie and then forward the request to the Web Dispatcher for further routing to the cluster.
  Needless to say, has anyone done this successfully?  Can anyone provide information, warnings, caveats, etc... so that we can decide to use the Web Dispatcher or another software-based NLB solution.  We understand the technical benefits - especially in an SAP shop, but if there are richer features for authentication in latter releases we may consider putting it on hold and going with a known solution.
  We have seen some appliances that can perform the SSL termination, 3rd party authentication, etc, etc,... are there any plans for the Web Dispatcher to be able to perform the authentication with windows (NTLM or Kerberos)?
  All of the other features are grat and a breeze to work with however authentication on the MS domain is a must here and it may be the missing functionality.
  Thanks and kind regards,
  Judson

  Hi Judson,
  currently there is no plan to enhance web dispatcher into that direction. Instead we started to work together with network technology providers to offer the funtcionality of web dispatcher together with additional security and authentication stuff.
  network is not our business, so there are no plans to boldly go into that direction. Because of that such combinations like authentication with wd are sometimes hard to do.
  If you want a tip for the future I'd say, what you will see is boxes that have everything in there and two plugs for the internet and the sap network -everything else (firewalls, authentication, load balancing with automatic recognition of the sap cluster) would be in the box.
  Regards,
  Benny

• WebLogic 10gR3 and Windows Integrated Authentication

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

• How to do HTTP getRequest() with windows NTLM authentication from OBPM..??

  Hello All,
  Please share your expert ideas how me can do HTTP getRequest() with windows NTLM authentication from OBPM..??
  I am not sure even whether its possible or not, if not what could be the alternative way to do integration with MS SharePoint ??
  Version : Oracle BPM v 10.3.1
  Cheers
  Parveen Jaswal

  You are only as secure as web browsing to the LogMeIn website is (which appears to use HTTPS). If your login on that site is compromised, they will have a list of your computers that they can attempt to connect to. As long as you don't save the login credentials, they would then also need to know what username and password to use to connect to the computer. Granted, a little social engineering, and they could probably get some good ideas what to try for those, but if you chose to make your computers secure with complex and hard to guess passwords then it should be fine.
  I've been using LogMeIn from my Mac to my mom's Windows XP system from July 2009, and to my wife's Thinkpad running Win 7 since Oct 2009. None of the computers involved have had any security issues at all, let alone any caused by LogMeIn. For my wife's PC, it sits behind our NAT Firewall in our LinkSys Router (although I did have it behind a CheckPoint VPN Edge router for a while). My Mom's PC sits behind a Netgear Router providing its NAT Firewall. When my Mac isn't at home, it's generally behind that CheckPoint VPN router at my office now. It all works nicely from behind one router to behind another. The Piece that you install on the PC will log it into the LogMeIN website and that is how it gets through the router to the PC. You login to the website, select the PC to control, then login to that PC.

• Java webservice client with windows domain authentication

  I'm writing (well attempting to) a Java web service client using netbeans that consumes a web service written in C#, that uses NTLM authentication.
  If I consume the webservice from a .NET client, authentication isn't a problem; I can just pass the crediantails in on an engine object.
  eg engine.Credentials = System.Net.CredentialCache.DefaultCredentials.
  Upon consuming this webservice in java the Credentials method doesn't appear on the engine object like it doesn't with it's C# counterpart.
  I assume that Java goes about a different way of doing windows domain authentication?
  Cheers

  for what ever reason it just seemed to start working.

• Crystal Report 2008 Server - Windows AD authentication

  We have installed Crystal Report 2008 Server and have created Administrator with Enterprise authentication. Using Administrator login, Windows AD-groups were mapped, none of the user from the defined group is able to login using InforView. Created Administrator using Windows-AD authentication, that user to is not able to login.
  When tried LDAP authentication and mapped users, it's not working as well.
  What needs to be done here? we need to get it done urgently.
  Thanks,
  Pradnya

  I have a Windows 2008 Standard 32bit Server running CRS2008
  I performed a default install with ONLY WACS.  I have looked through every possible document I could find to get kerberos working and am still having trouble.  The specific error I am getting when trying to logon to the CMC is:
  Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
  The AD group is mapped, I have followed every Kerberos setup document to the letter and still nada.
  Any help would be greatly appreciated.
  Chad

• SP 2013 Upgrade error - web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against a windows classic authentication mode.

  Hi there,
  I get this error when I perform a DB Attach upgrade from SharePoint 2010 to SharePoint 2013. 
  "web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against a windows classic authentication mode."
  Any help is appreciated. Thanks.

  There is other way of fixing this issue apart from what Amit mentioned. Create a classic based web application in SP 2013 using PowerShell.
  New-SPWebApplication -Name "TestApplication" -ApplicationPool "TestApplicationAppPool" -AuthenticationMethod "NTLM" -ApplicationPoolAccount (Get-SPManagedAccount "sppoc\spfarm") -Port 100 -URL "http://sp2013demo"
  Now mount the content database from SP 2010 on to the web application created above 
  Mount-SPContentDatabase WSS_Content_100 -DatabaseServer SQL2012Demo -WebApplication http://sp2013demo:100
  Once the mount is complete, convert the web application to use claims and migrate the user to use claims identity.
  Convert-SPWebApplication -Identity "http://sp2013demo:100" -To Claims –RetainPermissions -Force
  $w = Get-SPWebApplication "http://sp2013demo:100"
  $w.MigrateUsers($True)
  See my blog post about it: http://www.sharepointnadeem.com/2014/01/upgrade-from-sharepoint-2010-classic.html
  Please remember to up-vote or mark the reply as answer if you find it helpful.

• Windows NT Authentication type Disabled

  Hi,
  Windows NT Authentication type Disabled after Insatall SAP Integration kit
  Best Regards,
  Reddeppa K

  NT auth is not an option on a java app server it is only an available dropdown in client tools and IIS (.net) deployments. This means in 3.x it will never be available for the CMC and only available for infoview deployed on IIS. On top of that it should not be used with any of our supported versions of AD The plugin is deprecated and will be removed from the next version of our product. Use the AD plugin it can connect to anything the NT one can and much more.
  Regards,
  Tim