External Authentication in EAS using MSAD

Similar Messages

• External authentication using Headervariable

  Hi SAP Experts
  We have configured External authentication for WEM using Headervariable.We are using BI Java 7.0
  External authentication is working fine using Headervariable Login module for URL http://<WEb Server hostname>/irj which redirect to http://<J2EE hostname>:<port #>/irj
  As you all know that we also use http://<J2EE hostname>:<port #> for Administation point of view where many options available like user management, SLD, Webdynpro, NetWeaver Administation etc.We have not configured this URL for External Authentication  and also do not want to configure but when tyring to access any administration option on this, portal prompts default logon page and after entering Portal UserID/Password we get message like " No Loginmodules configured for Header"
  I do not know why system display this message
  Please help me if anyone has experience to resolve this issue, as we want to use URL http://<J2EE hostname:<port #>, which should prompts Portal Logon screen and after entering Portal userid/password we should access the administration screen without afftecting our External Authentication configuration for URL http://<WEb Server host>/irj
  Thanks in Advance
  Thanks with Regards
  Deelip Kumar

  Hi Deelip,
  my earlier post referred to an additional authscheme that you may have created. If you have done so, please remove it. If you have checked this, there still is a predelivered authscheme called header, wich references a login stack called header. This login stack template does not exist as a default.
  In this case, you may have assigned this authscheme (header) to some component, like an iview. How this works is explained in the docs <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm">here</a> and<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/a334ed5bbfd5488b8cdd67b2c594a9/frameset.htm">here</a> for example.
  If you have done so, this reference to the authscheme header may trigger the lookup of the login stack template called header, which does not exist and thus leads to the error.
  For detailed error analysis, I would recommend to search the security log and the portal logs for indications where the source of this error might be.
  Regards,
  Patrick

• Trouble With External Authentication!

  Hello all!
  I have been trying to experiment with external authentication with PHP using the samples provided with the LCCS SDK Navigator.
  I have changed the "index.php" page to include all my account info. and have double checked it!  However, when I upload it to my server, I keep getting the following error(s) whenever I click the submit button on the form:
  Warning: fopen() [function.fopen]: URL file-access is disabled in the server configuration in /home/tueslcom/public_html/LoginTest2/lccs.php on line 690
  Warning: fopen(https://collaboration.adobelivecycle.com/myusername?mode=xml&accountonly=true&) [function.fopen]: failed to open stream: no suitable wrapper could be found in/home/tueslcom/public_html/LoginTest2/lccs.php on line 690
  Fatal error: Uncaught exception 'RTCError' with message 'connection-failed' in /home/tueslcom/public_html/LoginTest2/lccs.php:695 Stack trace: #0 /home/tueslcom/public_html/LoginTest2/lccs.php(587): RTC::http_get('https://collabo...', Array) #1 /home/tueslcom/public_html/LoginTest2/lccs.php(254): RTCAccount->do_initialize() #2 /home/tueslcom/public_html/LoginTest2/index.php(33): RTCAccount->__construct('https://collabo...') #3 {main} thrown in /home/tueslcom/public_html/LoginTest2/lccs.php on line 695
  I have a bit of experience with PHP, however, going through lccs.php and trying to reverse engineer everything to find out what`s going on is a little beyond my skill level!  Any idea what might be happening/missing here?  This seems like it should be a no-brainer!
  Thanks in advance for any help anyone can give.
  Matt

  Raff,
  Thanks for your quick reply!
  I called phpinfo() and it appears that OpenSSL is working:
  OpenSSL Support - enabled
  OpenSSL Support - OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
  Is SSL needed for encrypted communications between the browser and the LCCS server?  When it comes to ports, security, and all the headaches that go with it, I am pretty much a NOOB (by choice)!
  Also, the forum search doesn`t seem to be working (at least it`s not returning anything for me).  Any hints as to what other modules are needed?
  btw - Is it "http://connectnow.acrobat.com" or "https://collaboration.adobelivecycle.com"?
  And it seems that "lccs.php" had been renamed from "afcs.php" along with "RTCAccount", which used to be "AFCSAccount".  The code examples have not been updated to reflect this, and although I fixed this in some of the code, could there still be problems inside "lccs.php"?
  Thanks again,
  Matt

• Authenticating Guest Users Using External Database.

  Folks, greetings.
  Due to the limitations imposed by wlc's database size, we decided to go for an external authentication server.
  Since this external database is for guest access, we are considering in using a Linux box with LDAP, along with a web-based application which will be presented to the user for authentication purposes. This way, the user would type in his/her credentials on this portal and the same box would process the authentication.
  In such a scenario, we would buid an application for the "Lobby Amabassadors" input the guest data (for auditing purposes we need to enter the user's SSN, passport # or any other official ID), and this application would generate the password to be used during the authentication process.
  I've used web-auth before, with the users database loaded on the WLC (local net users). Even using an external web-auth portal, the user is still authenticated by the controller that in turn, will control whether the traffic is to be allowed or not, based on the authentication results.
  That's exactly where our question lies: how should we configure the WLAN so that the WLC would receive the access request and forward it to the authentication portal/server? Would it envolve radius?
  This same Linux would be the DHCP server for this guest WLAN.
  WLC vesion: 4.2.130.0
  Regards,
  AL

  Using the Web Authentication feature on a Cisco wireless LAN controller, we can authenticate a guest user on the wireless LAN controller, on an external web server or on an external database on a RADIUS server. We can configure the wireless LAN used for guest traffic to authenticate the user from an external RADIUS server.
  To enable an external RADIUS server to authenticate traffic using the GUI, follow this link.
  http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001207

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• Use of groups on External Authentication.

  Hi All, I'm triying to use Active Directory groups instead of users in order to authenticate users on ODI 11.1.1.6.
  Unfortunately ODI seems to be prepared to use MS AD users, but groups.
  Does anybody configure LDAP to authenticate users and got it working with groups?
  Thanks and regards!

  ODI 11g supports external authentication for users only.

• WebVPN using External Authentication

  I have a VPN concentrator 3005 that is configured for WebVPN which works great if I login with a local user.
  I would like to authenticate my users through our LDAP. I created a SSLusers group that is setup for external authentication. The SSLusers group works fine when I use the Cisco VPN client to connect (I enter the group name/password in the text boxes, when it connects it asks for the username/password).
  In the logs it shows that it is checking for the user in the Internal server, I want to point it to my ACS box. I feel like there is a check box somewhere that I am missing that tells the concentrator 'if I can't find the user in my local database, check the external authentication server'.
  Any advice on how to get the external authentication working with the WebVPN would be most appreciated. Thanks in advance.

  Thanks Daniel for the suggestion. I tried to add the above, but still received the same error. Is there an additional checkbox that needs to be marked for the base group to search the radius server?
  Authentication rejected: Reason = User was not found
  handle = 686, server = Internal, user = bobeldde, domain =
  It appears to work ok if I login with 'bobeldde#ssl';where the ssl group is configured for Radius Authentication.

• TS1338 I have 4 Trojan Horse viruses on my external drive I use for Time Machine.  My MacBook Pro hard drive is clean.  I have eased the external drive 3 times using Disk Utility and it still has the 4 Trojan Horse viruses. How do I get rid of them. Wayne

  I have 4 Trojan Horse viruses on my external drive I use for Time Machine.  My MacBook Pro hard drive is clean.  I have eased the external drive 3 times using Disk Utility and it still has the 4 Trojan Horse viruses. How do I get rid of them. I am using 10.8.3  Wayne

  ksu62 wrote:
  The infection names are:  classload.jar-719ef6a5.zip
                                            classload.jar-5db452le31.zip
                                            ar3.jar-6ce3b2f-45l483f.zip
                                            classload.jar-lef99412-63bsd3fl.zip
  Those look alot like file names and not infection names. I don't find any reference to anything like that on Norton or VirusTotal. Since you said these were Trojans, I would expect to see "Trojan" as part of the infection name.
  ".jar" files are executable Java applets. The random alpha-numerics would seem to indicate a cache file, likely from a browser with Java enabled. And we all know what ".zip" means.
  Worst case is that you had Java enabled in a browser and were infected by one of the late variants of the Flashback Trojan over a year ago or one of a couple of other attacks using the same vulnerability but targetted against a small number of political sympathizers. Much more probable is that thes were Windows only Trojans. Hopefully you have a fully up-to-date OS X, including Java, and have disabled Java in all your browsers by now.

• Reconfigure Active Directory External Authentication plug in to use ssl

  Assuming this is the proper place to post this question:
  I've quickly gone through the IM integration documentation trying to find out how to reconfigure the ad external auth plugin to use ssl and have come up empty handed. Does anyone know how to do this? Should I just rerun oidspadi.sh?
  Also, where can i view the configuration information that was entered the last time this was configured?
  thanks for any help!
  chris

  Rerun oidspadi.sh and select SSL option. You can get adwhencompare and adwhenbind plug-ins detail under plug-in management in Oracle directory manager.

• External authentication on Essbase 9.3.1

  I am migrating from Essbase 7.3.x on 32-bit Windows to System9 on 64-bit windows. External authentication works on both Shared Services and EAS. I have successfully registered EAS and Essbase with shared services however I do not see Essbase in "User console" of Shared Services as an application. I am able to create native authenticated users in Essbase but unable to externalise the security. I get the following error messages when trying to externalise:
  Error: 1051549: Can not convert Analytic Services to Shared Services mode when Analytic Services is not configured with Shared Services or the initialization process has failed
  On starting Essbase, I see the following error message when I use the same CSSconfig file as used by shared services:
  [Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Error(1051223)
  Single Sign On function call [css_init] failed with error [getOSVersion]
  [Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Info(1051198)
  Single Sign-On Initialization Failed !
  If I point to the current CSS file used in production Essbase 7, I get the following message:
  [Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Error(1051223)
  Single Sign On function call [css_init] failed with error [-1]
  [Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Info(1051198)
  Single Sign-On Initialization Failed !
  In either case everything except External Authentication on System9 for Essbase works.
  Both shared services and Essbase are on the same 64-bit Windows box.
  Any help in resolving this will be greatly appreciated.
  Thanks,
  Vikram.

  HI:
  I recommand following these steps:
  1. Go to the box where you have your Essbase installed
  2. Pull up the Shared Services Configuration Utility
  3. Select COmponent to be registered as Essbase
  4. Remeber to stop the essbase - i assume you are getting the error hence essbae would not have loaded.
  5. Re-register Essbase with Shared services
  6.Start essbase in Foreground
  It shuld Start :) good Luck..let me know If this failed..
  Thanks,
  Sriram

• Essbase security Migration from native mode to external authentication

  Hi!!
  I want some guidance on setting up security, all the users are currently in Native user mode and Native groups.
  Now we want to migrate to external mode, current version of hyperion is 11.1.1.3, any steps to follow in
  this direction would be really helpful.
  What is the best way of migrating huge user base from native directory to setting up for external authentication,
  this is the first time move from native to external authentication, If anyone who has done this will be helpful.
  steps to setup , maxl based migration will be helpful or utility based.
  Thanks

  When you say native mode do you mean that that essbase security is in native mode and you want to convert to shared services security mode,or do you mean you are using shared services securtiy with native users and you want to use an external directory like MSAD.
  For your question ::
  Yes the first piece is correct, our security is in native mode.
  and we want to convert to shared services security mode,
  The request involves moving from essbase native mode to Shared services native user mode (moving all the existing users, groups and existing provisioning)
  The next stage is moving from Shared services native user mode to external directory. (moving all the existing users, groups and existing provisioning)
  Your input will guide me in the direction.
  Thanks

• Essbase analytic services 7.1.5 & external authentication

  Hi,
  first off, you have to excuse me for being a total newbie in the field of Essbase ;)
  We are currently trying to move our external authetication from Novell eDirectory via LDAP to Microsoft Active Directory. We use the LDAP authentication module with the following string in essbase.cfg "AuthenticationModule LDAP essldap.dll x".
  Reading the documentation for external authentication (x_auth.pdf) we came to the conclusion that we "needed" the Hub installed. Talking to Hyperion support told us that use of the Hub with our version was very unusual.
  Is it possible to configure the CSS authentication module to use a .xml file configured for our Microsoft AD and simply forget about the hub? If so, does the following lines look correct to you:
  essbase.cfg:
  "AuthenticationModule CSS file://localhost/D:/Program/ESSBASE/bin/css_config.xml"
  css_config.xml:
  <msad name="msad1">
  <trusted>false</trusted>
  <url>ldap://ADDC_server:389/ou=contoso, dc=COMPANY, DC=LOCAL</url>
  <userDN>cn=Administrator</userDN>
  <password>wordpass</password>
  <authType>simple</authType>
  <authProtocol>ssl</authProtocol>
  <identityAttribute>dn</identityAttribute>
  <user>
  <url>ou=Users</url>
  <loginAttribute>cn</loginAttribute>
  <fnAttribute>givenname</fnAttribute>
  <snAttribute>sn</snAttribute>
  <emailAttribute>mail</emailAttribute>
  <objectclass>
  <entry>person</entry>
  <entry>organizationalPerson</entry>
  <entry>user</entry>
  </objectclass>
  Trying to add or copy a user in the Essbase Administration Services enterprise view gives us the following error:
  "Error: 1051203 Single Sign On External Authentication is Disabled"
  That tells me that we need to configure SSO in the css_config.xml file, but i have not found any examples for Analyzer but only for OBIEE.
  Is there anybody at this forum that have achieved what we are striving for?
  Best Regards,
  Johannes

  Hi,
  Something must wrong in your css.xml, I am not sure if you can get any further logging...
  here is an example of a css.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <spi>
  <provider>
  <msad name="msad1"> <trusted>false</trusted>
  <url>ldap://ldapserver:389/dc=CompanyName,dc=com</url>
  <userDN>CN=#######,OU=Security Accounts,OU=IT,DC=CompanyName,DC=com</userDN>
  <password>########</password>
  <authType>simple</authType>
  <identityAttribute>dn</identityAttribute>
  <user>
  <loginAttribute>sAMAccountName</loginAttribute>
  <fnAttribute>givenname</fnAttribute>
  <snAttribute>sn</snAttribute>
  <emailAttribute>mail</emailAttribute>
  <objectclass>
  </objectclass>
  </user>
  <group>
  <url>cn=LostAndFound</url>
  </group>
  </msad>
  </provider>
  </spi>
  <searchOrder>
  <el>msad1</el>
  </searchOrder>
  <token>
  <timeout>60</timeout>
  </token>
  <logger>
  <priority>ERROR</priority>
  </logger>
  </css>
  If you are still struggling you could try an ldap browser to see if you can connect with the details you are trying.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Export shared service active users (provision for Hyperion)only using MSAD.

  Hi..
  I m using Hyperion 9.x . and using active directory in shared services.
  while i m using importexport utility to export the active users list with provisioning.
  Issue is :
  Hyperion external authentication have all users of Active directory but i need to export only active users which are provisioned for Hyperion projects .
  I dont need the complete users list .
  Also i m unable to export the provisioning of users in exported file.
  Please can you help me in getting the correct export statement for the above.
  Thank you very much

  Thanks John !!
  I am using the following statement for 9.3.0 but not getting provisioning section in exported file.
  Only users/Groups/Roles are there in exported file.
  Please help me to overcome the problem .
  importexport.css=file:/C:/Hyperion/SharedServices/9.3/AppServer/InstalledApps/WebLogic/8.1/css.xml
  importexport.cmshost=HSS machine name
  importexport.cmsport=58080
  importexport.username=User name **User name i m using is Active Directory user with administrative rights in Hyperion**
  importexport.password=password
  importexport.enable.console.traces=true
  importexport.trace.events.file=C:/Hyperion/common/utilities/CSSImportExportUtility/importexport/trace.log
  importexport.errors.log.file=C:/Hyperion/common/utilities/CSSImportExportUtility/importexport/errors.log
  importexport.locale=en
  # export operations
  export.fileformat=csv
  export.file=C:/export.csv
  export.internal.identities=true
  export.MSAD.user.passwords=true
  export.provisioning.all=true
  export.delegated.lists=false
  export.user.filter=*@MSAD
  export.group.filter=*@MSAD
  export.role.filter=@MSAD
  export.producttype=*
  export.provisioning.apps=*
  Thank you very much
  Vivek Jaiswal
  Edited by: user11966901 on May 25, 2010 8:16 PM
  Edited by: user11966901 on May 25, 2010 8:19 PM
  Edited by: user11966901 on May 25, 2010 8:20 PM

• Mass conversion to external authentication

  We are currently in the process of upgrading from Essbase 6542 to 715. We are also implementing external authentication. Tried ASM from OLAP Underground but it can?t convert to external authentication. Tried reading Admin/Tech doc?s to see if there was a utility application but found nothing. Did find that using EAS I can copy a single user from 6542 to 715 and convert to using external authentication but I can?t do more than one at a time. Is there any way to copy more than one user and convert to external authentication.

  Vince
  Don't feel you need to jump all at once - quite the contrary. Convert a few images to DNG as tests, work them through all the things you'd ever need to do, view them in all the programs you ever use, and check the metadata and the appearance in all those environments. Then you can answer the question for yourself.
  (When I decided to move over to DNG, it was after 2 weeks of putting all new shots through a DNG workflow. It wouldn't have been too much work to redo.)
  I'd archive the NEFs. You may never need them again, but space is cheap and you never know when you might want to test a program that won't read DNGs.
  John

• Essbase External Authentication

  Anybody know where can I find more information about Essbase External Authentication?Particularly about LDAP Authentication?I read about it from dbag.pdf,but there is little resource.And I can't correctly set our "cognos LDAP Authentication" as new Essbasee application Authentication.I don't know whether it is because the AUTHENTICATIONMODULE parameter I wroten is wrong.Our cognos LDAP setting is: Default Directory Server: Host: 192.168.2.120:389 BaseDN: o=Cognos,c=CA Default Namespace: Use irectory server default Your local cache is disabled.In essbase.cfg file I write:AuthenticationModule LDAP essldap.dll x o=Cognos,c=CA,@192.168.2.120:389Is it right?Any help is appreciated.

  Hi,
  Remember, order of the user repositories does matter when you have same username in both of them.
  You need to set MSAD repository in the first order here, I understand.
  than you need to copy provisions from native directory to MSAD.
  Regards,
  Ahmet