External authentication, ticket expiry
when i'm doing external authentication to get a token, does the same token always get returned to me for the user/room pair? or does it expire after a certain point and a new one is generated?
so there's no way for me to "cache" these tokens? i ask because the external authentication step is rather slow. it takes a long time, 10 seconds, to enter a room, and seems like a lot of the processing time is on the adobe end. any other way to speed this up? thanks for the response raff.
Similar Messages
-
Invoking 'active directory external authentication plug-in' from login.jsp
Hi
I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
For this requirement, we have 'active directory external authentication plug-in' installed on server.
What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
kindly let me knowHi
I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
Then i serach using the user name in ldap directory.
NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate. -
Password aging for externally authenticated user
Hello All:
How can we implement the password aging of externally authenticated user.
Thanks
San~If the user is externally authenticated, then the password expiry should be external. E.g for the unix account.
"When you choose external authentication for a user, the user account is maintained by Oracle, but password administration and user authentication is performed by an external service. This external service can be the operating system or a network service, such as Oracle Net.
With external authentication, your database relies on the underlying operating system or network authentication service to restrict access to database accounts. A database password is not used for this type of login. If your operating system or network service permits, you can have it authenticate users. If you do so, set the initialization parameter OS_AUTHENT_PREFIX, and use this prefix in Oracle user names. The OS_AUTHENT_PREFIX parameter defines a prefix that Oracle adds to the beginning of every user's operating system account name. Oracle compares the prefixed user name with the Oracle user names in the database when a user attempts to connect." -
Error while Configuring AD external authentication plug in
Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
ThanksDid you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf -
Plug-in Request Group field into the external authentication plug-in
Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491 -
External Authentication on Windows
Guys, this is driving me crazy.
I had an external user configured on my Oracle 9.2.0.5 database on a Windows 2003 Server.
It was working, I use it to make dump backups.
Now, without any change on any oracle param or bounce it just stoped working.
I have two instances, for one it's working, for the other it's not.
Both instances are on the same server (so I'm using the same sqlnet.ora file with NTS authentication).
Today I removed and recreate the user on both instances, but I keep getting the same problem.
create user "OPS$DOMAIN\ORABACKUP" identified externally
default tablespace users
temporary tablespace temp
The parameters are the same on both instances:
os_authent_prefix string OPS$
os_roles boolean FALSE
remote_login_passwordfile string EXCLUSIVE
remote_os_authent boolean FALSE
remote_os_roles boolean FALSE
Do you have any ideas of why this could happen??
Is there another parameter related to external authentication that I don't know?
Thanks!Was there ever an answer on this, having problems with setup using same versions
-
PHP external authentication issue
Trying to login to AFCS connection using external authentication.
PHP file generates a key correctly and everything seems to fine up until i get to using the key inside flex.
at the login stage i get the following error in the console trace from the library login call
As far as i can tell everything is right... how can i tell what is wrong with the authentication key?
AFCS Beta Build # : 1.1
requestInfo https://connectnow.acrobat.com/{roomname}?exx=eDp7dXRmOF9lbmNvZGUoZGFyaXVzKX06OmRtOmFnZW50ZG06aHR0cHM6Ly9jb25uZWN0bm93LmF jcm9iYXQuY29tL2hpaW50ZXJmYWNlL2RtOjEwMDo4N2NmNWUwMjIzZTVhMmFkYzI2MmY4MDVlNWJmMWVlM2Y4OTJlY 2Qx&mode=xml&x=0.2519759591668844
#THROWING ERROR# bad authentication keyThere are a few mistakes in the key. There is some PHP 'code' in it (wrong string expansion ?) and you are using a full URL instead of the room name.
If you want more details send me a private message, but you should check the way you call the get authentication token method. -
AD External Authentication Plug-In verification issue
We are working on a Proof of Concept instance to integrate MS AD with OID for the first time for E-Biz 11i.
1) I completed the bulk load of all the existing users from AD to OID successfully
2) completed enabling the syncrhonization profile
3) Ran the txkrun.pl successfully
4) However i wanted to check the External authentication plug-in and i get the below issue.
How to debug ldapcompare ? Where is the logfile for ldapcompare ?
ldapcompare -h OID_Host -p 389 -D "cn=orcladmin" -w ******* -b "cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us" -a userPassword -v abcdefgh
The value abcedefgh is not contained in the attribute userPassword in DN cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us.
An ldapbind on the same AD server is successful, but ldapcompare is failing.I get invalid credentials. Though the network password is correct. I feel its somewhere i messed up the 3rd party plug-in configuration. Is there a method to get debug information for ldapcompare command ?
From metalink NOTE : 277382.1
"When using the above command, ldapcompare binds to OID using the OID admin user (typically "cn=orclAdmin") and password. Then it provides the AD username and requests that the value supplied as AD-USER-PASSWORD be compared to whatever is stored in AD username's userPassword attribute. Because OID does not store a value in its own user entries/userPassword attributes for AD-synchronized entries, this ldapcompare call will cause OID to invoke the plug-in and verify the userPassword value in AD instead.
If the plug-in works, the ldapcompare should return a message saying that the given password is contained in the userpassword attribute, e.g.
" -
External authentication on Essbase 9.3.1
I am migrating from Essbase 7.3.x on 32-bit Windows to System9 on 64-bit windows. External authentication works on both Shared Services and EAS. I have successfully registered EAS and Essbase with shared services however I do not see Essbase in "User console" of Shared Services as an application. I am able to create native authenticated users in Essbase but unable to externalise the security. I get the following error messages when trying to externalise:
Error: 1051549: Can not convert Analytic Services to Shared Services mode when Analytic Services is not configured with Shared Services or the initialization process has failed
On starting Essbase, I see the following error message when I use the same CSSconfig file as used by shared services:
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [getOSVersion]
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
If I point to the current CSS file used in production Essbase 7, I get the following message:
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [-1]
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
In either case everything except External Authentication on System9 for Essbase works.
Both shared services and Essbase are on the same 64-bit Windows box.
Any help in resolving this will be greatly appreciated.
Thanks,
Vikram.HI:
I recommand following these steps:
1. Go to the box where you have your Essbase installed
2. Pull up the Shared Services Configuration Utility
3. Select COmponent to be registered as Essbase
4. Remeber to stop the essbase - i assume you are getting the error hence essbae would not have loaded.
5. Re-register Essbase with Shared services
6.Start essbase in Foreground
It shuld Start :) good Luck..let me know If this failed..
Thanks,
Sriram -
External Authentication won't correctly set USER name or Role
I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
Here is a little of the java on the back end (I removed my shared secret):
public String getRoomToken(String roomID, String userName, String userID, int userRole) {
try {
Session session = am.getSession(roomID);
return session.getAuthenticationToken(..., "Bob", "TestID", 100);
//return session.getAuthenticationToken(..., userName, userID, userRole);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
return null;
getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
/** * get an external authentication token */
public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
if (role < UserRole.NONE || role > UserRole.OWNER)
throw new Error("invalid-role");
String token = "x:" + name + "::" + this.account
+ ":" + id + ":" + this.room + ":"+ Integer.toString(role);
String signed = token + ":" + sign(accountSecret, token);
// unencoded
//String ext = "ext=" + signed;
// encoded
String ext = "exx=" + Utils.base64(signed);
return ext;
This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly. Any help would be great, this has caused me a great deal of grief for days now...
Thanks guys...
VesWell this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
to
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
and adding a preinitialize function of:
protected function preInit():void
templateID = Application.application.parameters['room'];
token = Application.application.parameters['token'];
oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
Ves -
External Authentication in 9.0.2
I have an external authentication module with Login Server 3.0.9 and I'm migrating my applications to the new release.
I checked for the ssoauthx.pks package specification and it says that external authentication module is no longer supported with this release. The only way to authenticate my users is to sync with oid.
Is this is the only way to do external authentication?. Are future version of iAS will still depend on OID for authentication?Hi Nestor,
Even i am looking for similar solution and thinking of giving you some suggetion....
Oracle 9iAS R2 makes it madatory to use OID (or sync with OID) in SSO architecture.
We are trying to implement plug-in procedure (when_compare_replace) in OID to replace the password comparison for SSO requests. we are planning to check for our cookie to authenticate the user.
but i don't know how exactly this will work...
hope this helps
-vijay -
Hi, My application is a Pro C / Oracle 8i based application. I was using hardcoded user ids and passwords which we removed thru externally authenticated user. Now my application is stable in production but users are complaining of very slow performance of Oracle database.
Is this due to externally authenticated user id ? Does it impact the system performance ?
Edited by: user594301 on Jan 21, 2009 3:01 AMWere you using lightweight sessions or connection pooling before and now initiating a new connection for each user?
-
External Authentication in EAS using MSAD
<p>We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?</p>
<p>Hi Krista,</p><p> </p><p>Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild.</p><p> </p><p>your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD.</p><p> </p><p>Please use the following link if you need furtherinformation.</p><p> </p><p>http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm</p><p> </p><p>here is the sample active directory format.</p><p> </p><p><msad name="<b><a href="ldapserver.htm">msadServer</a></b>"> <trusted><b><ahref="trust.htm">false</a></b></trusted> <url><b><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></b></url><userDN><b>cn=UserName</b></userDN><password><b>UserPassword</b></password> <user><url><b>ou=people</b></url></user> <group> <url><b>ou=Groups</b></url> </group></msad></p>
-
Hi,
We need to be able to support external authentication to Oracle 8i. The system we develop is based on a J2EE architecture framework and is being deployed on the BEA Weblogic 8 under SUN Solaris. Currently we are using Oracle Type 4 thin driver. The database is already configured to support OPS$ accounts but we are having problems implementing it in Java. Any suggestions or recommendations? Does somebody have experience implementing it?
Thanks in advance,
Mike<p>Did you tried copying the dll file to the places where neededand add the path to the dll file in your system environmentvariables.</p><p> </p><p>I had these issues and i copied the dll file whereever the errormessage was looking for it and it worked absolutely fine.</p><p> </p><p>Hope this helps !</p>
-
External Authentication 2106 WLC help
Hello,
We have setup a 2160 WLC for external authentication so that we can control the look and feel of the web pages a bit better.
I wanted to better understand how to setup the page to handle errors. I'm trying to determine how the errors get posted back to the external web page.
My understanding is that the form is "POST" to the 1.1.1.1, when it redirects to the external web auth due to an error are the values (error codes, redirect url, etc) appended to the query string?
If they are appeded to the query string...what are the variable names we should be looking for?
Thanks in advanceJosh,
I would recommend reviewing the source within the Web Authentication templates for info on customizable error codes... available on Cisco.com:
Wireless -> WLCs -> Select a model -> Web Authentication Bundle
Best,
Drew
Sent from Cisco Technical Support
iPhone App
Maybe you are looking for
-
WBS in Item for during MIGO for Reservation.
Dear Sir, When we do GR for Reservation in MIGO.The WBS Element appear in the Header details. But the same does not appear in the Item Details. We have to enter the WBS manaully in the Item details. We require the same should automatically appear in
-
Hello everyone, I need to use an Ajax Script (namely the Google Maps API) in a Web Dynpro project. Is this possible? And if: How to realize? I would be happy about any suggestions. Greetings Marco
-
Is there any component that zip files resulting from a search for later download? Thanks
-
Issue with BAPI_ALM_ORDER_MAINTAIN for Operation creation in Production ord
Hi All, I'm trying to use BAPI_ALM_ORDER_MAINTAIN to add missing workcenter in production order. Its resulting in dump. Following is the data I'm providing: IT_METHODS REFNUMBER = 000001 OBJECTTYPE = OPERATION METHOD = CREATE OBJECTKEY = order number
-
My screen was stepped on and I want to get it repaired. It is a Mac Book Pro serial no. CO*******H2G <Personal Information Edited by Host>