FDM 11.1.1.3 Now NTLM Authentication Disabled
Hi Everyone,
I've just upgraded from 11.1.1.2 to 11.1.1.3. Now when I go in to the Load Balance Manager, NTLM authentication is Disabled.
I am prompted when I try to edit that the provider type must be configured directly in Shared Services. I have an authentication type of NTLM that all other products are using.
Does anyone know how to Enable NTLM for FDM?
Or a work around setting up Shared services with FDM. I cannot see any FDM references in SS
Thanks
G
Hi,
Thanks for your quick reply. I have done all the upgrades and configuration you mention. All successful.
What authentication method should be in SS and where are the references to FDM? I have NTLM & Native (OpenLDAP)
Surely I should I see a reference to FDM in the Application groups and when I provision users. (I don't currently)
Thanks
G
Similar Messages
-
Public-facing on-premises SharePoint with NTLM authentication
I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
Assume I set up a web application with Classic NTLM authentication. On that web application I enable
Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
published content only i.e. content which is permitted to anonymous users.
My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
I would have a dedicated DC to manage service accounts.
I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
proxy/firewall -- SP Server -- Firewall -- SQL/DC
For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
authentication for your internal users before they can even reach the internal SharePoint pages.
I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate. -
Ntlm authenticated apps fails after 3.1.1 upgrade
I upgraded my apex instance to 3.1.1 on Friday without any issues. I can log into application builder without any problems and the version 3.1.1.00.09.
Everything in app builder works as expected. However, when I try to run my NTLM authenticated application, I get errors and the page fails to load.
Furthermore, this only happens on my 11g database.
The exact same app, using the same NTLM authentication works just fine on 10g.
The Apache errors log states:
mod_plsql: /pls/apex/f HTTP-404 ORA-03113: end-of-file on communication channel\n
mod_plsql: Unable to reset state for mode 0: Err 3114 url=>/pls/apex/f I have PlsqlErrorStyle DebugStyle set, so the page returns a fair amount of data.
Wed, 28 May 2008 14:07:17 GMT
ORA-03113: end-of-file on communication channel
DAD name: apex
PROCEDURE : f
URL : http://ecydblcyorwqt03.ecy.wa.lcl:80/pls/apex/f?p=127:51:339228564056494:::::
PARAMETERS :
===========
p:
127:51:339228564056494:::::
ENVIRONMENT:
============
PLSQL_GATEWAY=WebDb
GATEWAY_IVERSION=2
SERVER_SOFTWARE=Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
GATEWAY_INTERFACE=CGI/1.1
SERVER_PORT=80
SERVER_NAME=ecydblcyorwqt03.ecy.wa.lcl
REQUEST_METHOD=GET
QUERY_STRING=p=127:51:339228564056494:::::
PATH_INFO=/f
SCRIPT_NAME=/pls/apex
REMOTE_HOST=
REMOTE_ADDR=165.151.57.100
SERVER_PROTOCOL=HTTP/1.1
REQUEST_PROTOCOL=HTTP
REMOTE_USER=ECY\taus461
ORACLE_SSO_USER=
OSSO_IDLE_TIMEOUT_EXCEEDED=
OSSO_USER_GUID=
HTTP_CONTENT_LENGTH=
HTTP_CONTENT_TYPE=
HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
HTTP_HOST=ecydblcyorwqt03
HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_ENCODING=gzip,deflate
HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_COOKIE=WEBWPLCS_USER=TAUS461; WEBWPLCS_LAST=04.29.2008 11:41:38; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL; ORA_WWV_REMEMBER_UN=ADMIN:webwplcs; ORACLE_PLATFORM_REMEMBER_UN=ADMIN:webwplcs; ORA_WWV_USER=3B1A5D9EA835D646; WWV_CUSTOM-F_1021906798187125_122=9F806B35C3D9AF51
HTTP_IF_MODIFIED_SINCE=
HTTP_REFERER=http://ecydblcyorwqt03/pls/apex/f?p=4000:4150:339228564056494::NO:::
HTTP_SOAPACTION=
HTTP_ORACLE_ECID=1211983633:165.151.5.125:6156:6252:488,0
HTTP_ORACLE_CACHE_VERSION=
HTTP_AUTHORIZATION=NTLM xyz
WEB_AUTHENT_PREFIX=
DAD_NAME=apex
DOC_ACCESS_PATH=docs
DOCUMENT_TABLE=wwv_flow_file_objects$
PATH_ALIAS=
REQUEST_CHARSET=AL32UTF8
REQUEST_IANA_CHARSET=UTF-8
SCRIPT_PREFIX=/pls
HTTP_IF_MATCH=
HTTP_CACHE_CONTROL=
SOAP_BODY=
HTTP_X_ORACLE_DEVICE_CLASS=
HTTP_X_ORACLE_DEVICE_ORIENTATION=
HTTP_X_ORACLE_DEVICE_MAXDOCSIZE=
HTTP_X_ORACLE_DEVICE=
HTTP_X_ORACLE_ORIG_ACCEPT=
HTTP_X_ORACLE_ORIG_USER_AGENT=
HTTP_X_ORACLE_USER_LOCALE=
HTTP_X_ORACLE_USER_NAME=
HTTP_X_ORACLE_USER_DISPLAYNAME=
HTTP_X_ORACLE_USER_USERKIND=
HTTP_X_ORACLE_USER_AUTHKIND=
HTTP_X_ORACLE_USER_DEVICEID=
HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE1=
HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE2=
HTTP_X_ORACLE_USER_LOCATION_ADDRESSLASTLINE=
HTTP_X_ORACLE_USER_LOCATION_BLOCK=
HTTP_X_ORACLE_USER_LOCATION_CITY=
HTTP_X_ORACLE_USER_LOCATION_COMPANYNAME=
HTTP_X_ORACLE_USER_LOCATION_COUNTY=
HTTP_X_ORACLE_USER_LOCATION_STATE=
HTTP_X_ORACLE_USER_LOCATION_POSTALCODE=
HTTP_X_ORACLE_USER_LOCATION_POSTALCODEEXT=
HTTP_X_ORACLE_USER_LOCATION_COUNTRY=
HTTP_X_ORACLE_USER_LOCATION_TYPE=
HTTP_X_ORACLE_USER_LOCATION_X=
HTTP_X_ORACLE_USER_LOCATION_Y=
HTTP_X_ORACLE_SERVICE_HOME_URL=
HTTP_X_ORACLE_SERVICE_PARENT_URL=
HTTP_X_ORACLE_HOME_URL=
HTTP_X_ORACLE_MODULE_CALLBACK_URL=
HTTP_X_ORACLE_MODULE_CALLBACK_LABEL=
HTTP_X_ORACLE_CACHE_USER=
HTTP_X_ORACLE_CACHE_SUBID=
HTTP_X_ORACLE_CACHE_AUTH=
HTTP_X_ORACLE_CACHE_DEVICE=
HTTP_X_ORACLE_CACHE_LANG=
HTTP_X_ORACLE_CACHE_ENCRYPT=
HTTP_X_ORACLE_ASSERT_USER=There are no invalid objects in the FLOWS schema and the page sentry function I use for NTLM is also valid.
There isn't a database connection issue since both builder and SQL Plus works.
Here is my NTLM Page Sentry which is a slightly modified version of the GreenIT version
CREATE OR REPLACE FUNCTION modNtlmPageSentry(pApexUser IN VARCHAR2 DEFAULT 'APEX_PUBLIC_USER')
RETURN BOOLEAN
IS
vAuthenticatedUsername VARCHAR2(512);
vCurrentSessionId NUMBER;
l_cnt binary_integer :=0;
BEGIN
-- Get Authenticated User.
vAuthenticatedUsername := UPPER(owa_util.get_cgi_env('REMOTE_USER'));
vAuthenticatedUsername := substr(vAuthenticatedUsername,instr(vAuthenticatedUsername,'\')+1);
if to_char(v('APP_ID')) = '127' -- WebWPLCS
then
apex_util.set_session_state('P18_USERNAME',vAuthenticatedUsername);
elsif to_char(v('APP_ID')) = '124' --TMS
then
-- check to see if they are a listed TMS manager or overall admin
select sum(cnt) into l_cnt
from (
select count(0) cnt
from tms_managers
where username=vAuthenticatedUsername
union
select count(0) cnt
from tms_admin
where username=vAuthenticatedUsername
union
select count(0) cnt
from web_admin
where username=vAuthenticatedUsername
if l_cnt < 1
then
return FALSE;
end if;
end if;
-- Check to ensure that we are running as the correct database user.
IF USER ^= UPPER(pApexUser) THEN
RETURN FALSE;
END IF;
IF vAuthenticatedUsername IS NULL THEN
RETURN FALSE;
END IF;
-- Get SessionId.
vCurrentSessionId := wwv_flow_custom_auth_std.get_session_id_from_cookie;
-- Check Application Session Cookie.
IF wwv_flow_custom_auth_std.is_session_valid THEN
apex_application.g_instance := vCurrentSessionId;
-- Check Authenticated User --> Username from wwv_flow_session$ for
-- current Session.
IF vAuthenticatedUsername = wwv_flow_custom_auth_std.get_username THEN
wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
p_session_id => vCurrentSessionId);
RETURN TRUE;
ELSE
-- Unset the Session Cookie and redirect back here to take other branch.
wwv_flow_custom_auth_std.logout(p_this_flow => v('FLOW_ID'),
p_next_flow_page_sess => v('FLOW_ID') || ':' || NVL(v('FLOW_PAGE_ID'), 0)
|| ':' || vCurrentSessionId);
-- Tell Apex Engine to quit.
apex_application.g_unrecoverable_error := TRUE;
RETURN FALSE;
END IF;
ELSE
-- Application Session Cookie not valid --> Define a new Apex Session.
wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
p_session_id => wwv_flow_custom_auth.get_next_session_id);
-- Tell Apex Engine to quit.
apex_application.g_unrecoverable_error := TRUE;
IF owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' THEN
wwv_flow_custom_auth.remember_deep_link(p_url => 'f?' ||
wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
ELSE
wwv_flow_custom_auth.remember_deep_link(p_url => 'f?p=' ||
TO_CHAR(apex_application.g_flow_id) || ':' ||
TO_CHAR(NVL(apex_application.g_flow_step_id, 0)) || ':' ||
TO_CHAR(apex_application.g_instance));
END IF;
-- Register the Session in Apex Sessions Table, set Cookie, redirect back.
wwv_flow_custom_auth_std.post_login(p_uname => vAuthenticatedUsername,
p_session_id => nv('APP_SESSION'), p_flow_page => apex_application.g_flow_id
|| ':' || NVL(apex_application.g_flow_step_id, 0));
RETURN FALSE;
END IF;
END modNtlmPageSentry;Does anyone have any ideas on where to look next?
Regards, Tony
<b>Update</b>
For kicks, I added the page sentry function to the list in the <b>wwv_flow_epg_include_mod_local</b> function.
I bounced both the HTTP Server and the database.
None of these actions solved the problem.Joel -
The alert log states that there is a 7445 error now from Apache
host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123' module='Apache.exe'
pid='416'>
<txt>Exception [type: ACCESS_VIOLATION, UNABLE_TO_READ] [ADDR:0x0] [PC:0x69A2AB3, _pfrinstr_BRNCCOND()+39]
msg_id='1422874948' type='INCIDENT_ERROR' group='Access Violation'
level='1' host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123'
prob_key='ORA 7445 [pfrinstr_BRNCCOND()+39]' upstream_comp='' downstream_comp=''
ecid='' errid='12252' ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The trace file just states the same 7445 error:
ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The incident trace file states that the current SQL was:
----- Current SQL Statement for this session (sql_id=bng4udk9mvtsh) -----
declare function x return boolean is begin
return mergedwplcs.modNtlmPageSentry; return false; end;
begin
wwv_flow.g_boolean := x; end;
----- PL/SQL Stack -----
----- PL/SQL Call Stack -----
object line object
handle number name
2B6ACD34 1020 package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
2B6ACD34 662 package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
2B6BB44C 59 function MERGEDWPLCS.MODNTLMPAGESENTRY
2B6BBD1C 2 anonymous block
2B6BBD1C 4 anonymous block
2B6BC674 1815 package body SYS.DBMS_SYS_SQL
2B6BD29C 296 package body SYS.WWV_DBMS_SQL
2B70B5D0 1352 package body FLOWS_030100.WWV_FLOW_SECURITY
2B70B5D0 1158 package body FLOWS_030100.WWV_FLOW_SECURITY
2B71BA2C 8847 package body FLOWS_030100.WWV_FLOW
2B72FB04 255 procedure FLOWS_030100.F
2B7E4F1C 31 anonymous blockWhich makes sense given that I was trying to log into the application. All of these functions and packages are valid. -
Hi.
I'm looking for any example to create a passthrougth proxy service on a business service based on an endpoint HTTP that requires basic authentication plus NTLM domain.
I haven't OWSM on this OSB.
TIA
CorradoCorrado,
FYI, NTLM is no longer recommended -
http://msdn.microsoft.com/en-us/library/cc236715.aspx
http://en.wikipedia.org/wiki/NTLM
Now coming to your question, OSB does not support NTLM authentication mechanism. As a workaround, you may write a java client that can support NTLM authentication over HTTP and then use this as a java callout in your proxy. You may pass the incoming authentication info to the java callout which may perform the further work (authentication and service invoke)
Regards,
Anuj -
How to do HTTP getRequest() with windows NTLM authentication from OBPM..??
Hello All,
Please share your expert ideas how me can do HTTP getRequest() with windows NTLM authentication from OBPM..??
I am not sure even whether its possible or not, if not what could be the alternative way to do integration with MS SharePoint ??
Version : Oracle BPM v 10.3.1
Cheers
Parveen JaswalYou are only as secure as web browsing to the LogMeIn website is (which appears to use HTTPS). If your login on that site is compromised, they will have a list of your computers that they can attempt to connect to. As long as you don't save the login credentials, they would then also need to know what username and password to use to connect to the computer. Granted, a little social engineering, and they could probably get some good ideas what to try for those, but if you chose to make your computers secure with complex and hard to guess passwords then it should be fine.
I've been using LogMeIn from my Mac to my mom's Windows XP system from July 2009, and to my wife's Thinkpad running Win 7 since Oct 2009. None of the computers involved have had any security issues at all, let alone any caused by LogMeIn. For my wife's PC, it sits behind our NAT Firewall in our LinkSys Router (although I did have it behind a CheckPoint VPN Edge router for a while). My Mom's PC sits behind a Netgear Router providing its NAT Firewall. When my Mac isn't at home, it's generally behind that CheckPoint VPN router at my office now. It all works nicely from behind one router to behind another. The Piece that you install on the PC will log it into the LogMeIN website and that is how it gets through the router to the PC. You login to the website, select the PC to control, then login to that PC. -
Hello
I have the following scenario in my company for the development team: 1 server with SQUID proxy, 1 server with IIS7 and 1 site requiring NTLM authentication. NTLM is REQUIRED for compatibility purposes.
When i try to access the site from Windows XP or from other OS using safari or firefox i can access to the site and get the message "You are now authenticated using NTLM". No issues here.
When i am trying using Windows 7 or Windows 8 i get always the message "Proxy server isn't responding". I already followed several recommend steps on technet pages and forums (GPO's alterations, regedit values for NTLM, etc) and nothing works.
Does somebody has any idea? I am completely blocked.
Thanks in advance.Hi,
Please take a try with the following steps:
1. Open "Tools" -> "Internet Options".
2. On the "Advanced" tab make sure the option "Security -> Enable Integrated Windows Authentication" is checked.
3. On the "Security" tab select "Local Intranet" -> "Sites" -> "Advanced" and add your server URL to the list.
Hope this may help
Best regards
Michael Shao
TechNet Community Support -
APEX - NTLM Authentication slow
I've been trying to set up NTLM authentication for APEX as described on [this blog|http://jastraub.blogspot.com/2008/03/ntlm-http-authentication-and.html] and in [this whitepaper|http://www.oracle.com/technology/products/database/application_express/pdf/apex_ntlm_authentication_wp.pdf].
The enviroment is as follows:
DB: 10.1.0.4.2 on a windows 2003 SP2 server
Application server: 10.1.2.3.0 on a windows 2003 SP2 server
Clients: windows XP SP2 / IE 6 & 7 (tested both)
The authentication appears to work fine, but it does seem rather slow (~20 seconds).
I've tried using the earlier version of the page sentry function (without the hacky bits to trick IE) and this works pretty much instantly in Firefox (but gives the expectected problems in IE).
I've experimented with commenting various bits out to find out which bit might be causing the issue, and it apears to be when the session cookie is being re-written into the HTTP header
ie:
>
FOR ii IN 1 .. l_htp_rows LOOP
IF l_htp_buffer(ii) LIKE 'Set-Cookie:%' THEN
htp.p(l_htp_buffer(ii));
END IF;
END LOOP;
>
I've been trying to analyze the HTTP traffic, but it just appears that there is a 15-20 second delay before recieving a reponse from the server.
I've tried logging the steps int he function into a table, and it all seems to happen pretty much instantly, so I guess the issue seems to be occuring on the Apache server?
Does anyone have any ideas what might be causing this, or any further steps I could take to diagnose?
Thanks,
KeithI've got absolutely no idea what was causing the problem, but I've dropped recreated the auth procedure, and now it all seems to work fine.
very odd... -
Invoking a Web Service that Requests NTLM Authentication in BPEL Process
Hi,
I am trying to invoke a webservice which requires NTLM Authentication.able to test the service through SOAP ui .
Followed the steps memntioned in the oracle doc in order to invoke the same service through BPEL Process, some how I am facing issue when BPEL invokes the service. Here is the error message
oracle.fabric.common.FabricException: oracle.fabric.common.FabricException: Error in getting XML input stream: Response: '401: Unauthorized' for url:
Oracle doc link :-
http://docs.oracle.com/cd/E28280_01/admin.1111/e10226/soacompapp_secure.htm#BABJEBIF
http://www.albinsblog.com/2014/04/oraclewebservicespreemptivebasicauth.html#.VK5UEiuUeFM
The above link discuss about the properties that need to be set in composite.xml file in order to invoke the service.
I am using SOA 11.1.1.6, tried to implement the same steps but i could see the error message "Unauthorized for url ********** "
Could you please help me on this.
ThanksHi Guys ,
Got to kow that this is a bug. Some how following link helps in sending the payload to webservice which requires NTLM authentication thru JAVA.
Thoughts Oracle SOA OSB: NTML Authentication - Oracle SOA suite
Thanks -
Windows NTLM Authentication on SAP 4.6c (Platform AIX)
I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.
My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)
I need to implement single sign on for SAP integrated application.
As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory id as external id in connection string. All transaction should run with external user id context.
Can someone help me with following question.
1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?
2. What SNC library needed for SAP (AIX instance)?
3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.
What option do I have to get Single Sign On working?
Any help is highly appreciated.
Regards and Thank you in advance.> Hi Reiner,
> Thank you very much for response, this is helpful
> information.
If you consider an answer as helpfull, please mark it with the button on the left side :-).
> My options are pretty much limited,
> I can't use NTLM since, AIX will not accept trust
> -- NTLM Auth will not work with AIX
> -- Kerberos auth have to have third party tool like
> CyberSafe for SNC trust relationship.
As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.
> I planning to try using SSO as mentioned in "Enabling
> Single Sign-On for ASP.NET Applications in Enterprise
> Portal 6"
> Is this approach works with EP 5.0?
This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.
> If any one has "sapsecu.dll" please send me at
> [email protected] with same size as stated in
> this document.
This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.
> My SSO ticket did not get created after following
> steps in document, I am suspecting either sapsecu.dll
> or veryfy.pse is wrong?
Did you find a MYSAPSSO2 cookie in the request? -
Event ID 6038 LsaSrv NTLM authentication warning
Searching the internets we haven't found any other references to this particular Event ID Warning message.
It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:
Windows Server 2008, but out Child Domain is at Domain Functional Level:
Windows Server 2012 (3 Domain Controllers in our Child Domain).
Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page.
The full Event ID is pasted in below.
We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos.
How are these tasks accomplished on Windows Server 2012 Domain Controllers?
Thanks in advance for any help!
Log Name: System
Source: LsaSrv
Date:
12/27/2012 6:00:01 PM
Event ID: 6038
Task Category: None
Level:
Warning
Keywords: Classic
User:
N/A
Computer: <server
FQDN>
Description:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.
I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers.
It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM.
So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do:
Auditing and restricting NTLM usage guide
http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating
systems.
With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both
the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively
restrict NTLM traffic.
This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment. -
Re: How to enable NTLM authentication in OSB???
Hi all,
We have the same problem trying to integrate OSB with and asmx service that uses NTLM.
We try an alternative, we have created the artifacts of asmx service using wsimport and we created a little java project using these artifacts. We also added a class with a static method in this project in order to be used by OSB java callout mechanism. When this project if used standalone (through eclipse) works fine and as the environment is windows server, it sends automatically to the client the credentials of user that is logged on windows domain. On the other hand when we deploy this java project in OSB as jar for callout we receive : Response: '401: Unauthorized' exactly at the point that the produced artifact class invokes the constructor of javax.xml.ws.Service in order to create an instance of the service.
Can it be the same problem stated by 830428?
The stack trace:
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:172),
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:153),
com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:284),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:246),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187),
weblogic.wsee.jaxws.spi.WLSServiceDelegate.<init>(WLSServiceDelegate.java:73),
weblogic.wsee.jaxws.spi.WLSProvider$ServiceDelegate.<init>(WLSProvider.java:515),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:103),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:95),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:71),
javax.xml.ws.Service.<init>(Service.java:56),
org.tempuri.EDoc.<init>(EDoc.java:46),
after that (actually before) is just our code which calls the @WebServiceClient Class (the local artifacts which are used to call the actual web service).Kuppusamy.V.,
We experiened the same issue as you and managed to find a solution to the problem.
The OSB does not support NTLM authentication, so you are quite correct in stating you must write a Java class and use a Java callout from an OSB Proxy Service.
Our Java class worked fine from the Unix commandline, but failed when deployed to the OSB and invoked by the proxy service with the dreaded '401 Unauthorised' error.
On closer inspection, the proxy service stack trace revealed:
java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://your.domain.here/default.aspx' at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
We noticed that the exception was being thrown from the WebLogic 'weblogic.net.http.HttpURLConnection' class and not the Sun 'java.net.HttpURLConnection' as we expected (and our Java code explicitly imported)!
We couldn't understand why a different HTTP handler was being invoked, but it got us thinking. And thinking. And raising an Oracle support ticket. And waiting.
Tired of waiting, we revisited the problem and chanced across the Javadoc for the 'java.net.URL' class and noticed one of the constructors allows you to specify a HTTP handler!
Instead of opening our URL with this typical usage:
URL url = new URL(yourURL);
HttpURLConnection http = (HttpURLConnection) url.openConnection();
We used:
URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
HttpURLConnection http = (HttpURLConnection) url.openConnection();
And, hey presto!, it worked a treat.
And we closed the Oracle service ticket. And stopped waiting :)
Regards,
Jerome -
Setting up an external content type without having to change it to NTLM authentication?
Referring to: https://www.kenplaysviola.com/content/sharepoint2010-business-connectivity-path-unavailable
and tested to be true. However, I have a site that I am not using NTLM - is there a way around this???Hi,
Based on your description, my understanding is that you can’t
set up an external content type with Basic authentication web application.
What errors have you got?
I have done a test in my SharePoint, when I opened Basic authentication site with SharePoint Designer, I got an error
”Access to this web server is disabled by default because it is controlled by basic authentication and doesn't use SSL…”.
But I could create an External List in the Basic authentication site successfully. I set up an external content type with NTLM authentication site. Then I created an External List in the Basic authentication
site which referred to the existing external content type, it worked fine.
So if you don’t want to change your web Application to NTLM authentication, try to create another web Application with NTLM authentication, then create a site collection and create an external content type,
last create an External List in the Basic authentication site referring to the existed external content type in NTLM authentication site.
Also, here is a blog about
Access denied by Business Data Connectivity, you can take a look at:
http://blogs.msdn.com/b/ericwhite/archive/2010/06/11/access-denied-by-business-data-connectivity.aspx
Best Regards,
Lisa Chen -
Authenticator not being invoked - NTLM authentication against IIS 6.0 !!
Hi Folks,
I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
Authenticator.setDefault(new ReportAuthenticator());
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
Any help is greatly appreciated.
P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
best regards
DushyHi,
we had the same problem, but we got support
from readme.txt
Bug#: 6789020
Agent type: All Agents
Description: In CDSSO mode non enforced POST requests cannot be accessed
Bug#: 6736820
Agent type: IIS 6 Agent
Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
Both bugs should be fixed in this version:
Sun Java System Web Agents 2.2-02 hotpatch2 -
ClassNotFound error when loading applet from a NTLM authenticated site
Hi,
I wrote a Java applet and put it into a JAR file and signed the JAR file. It works fine if the user doesn't need to be authenticated. However, when I place the same JAR to a site that uses NTLM (NT challenging) authentication. The applet failed to load and returns ClassNotFound exception. Does anyone know why?
The following is the complete error message:
java.io.IOException: Server returned HTTP response code: 401 for URL: http://unibox.MySite.com/fileupload/FileUpload.jar
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:697)
at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:369)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderFields(HttpURLConnection.java:1139)
at sun.plugin.net.protocol.http.HttpURLConnection.checkCookieHeader(HttpURLConnection.java:330)
at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:367)
at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:311)
at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:131)
at sun.plugin.cache.JarCache.get(JarCache.java:177)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:71)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:56)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:498)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:459)
at sun.misc.URLClassPath$2.run(URLClassPath.java:255)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:244)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:221)
at sun.misc.URLClassPath.getResource(URLClassPath.java:134)
at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:132)
at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:473)
at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
at sun.applet.AppletPanel.run(AppletPanel.java:290)
at java.lang.Thread.run(Thread.java:536)
load: class FileUpload.class not found.
java.lang.ClassNotFoundException: FileUpload.class
at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:151)
at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:478)
at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
at sun.applet.AppletPanel.run(AppletPanel.java:290)
at java.lang.Thread.run(Thread.java:536)
Caused by: java.io.IOException: open HTTP connection failed.
at sun.applet.AppletClassLoader.getBytes(AppletClassLoader.java:224)
at sun.applet.AppletClassLoader.access$100(AppletClassLoader.java:40)
at sun.applet.AppletClassLoader$1.run(AppletClassLoader.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:138)
... 10 moreIt appears that the latest jvm plugins use java to get the archive files instead of using the browser to download the archive files.
In addition sun does not support NTLM authentication, because of this the latest jvms are unable to download the jar file containing the applet.
I have been working on finding a way to replace suns http Handler, but have had no luck with setting the java.protocol.handler.pkgs for the plugin and having it retain the setting.
I have achieved partial results using the appletviewer with -J-Djava.protocol.handler=com.nogoop
you might try taking a look at http://www.nogoop.com -
Prerequisites for Using Windows NTLM Authentication
Hi,
One of the prerequisites for using Windows NTLM Authentication, mentioned on help.sap.com documentation, is:
- The users Web browser must be a Microsoft Internet Explorer
This means that users not using Internet Explorer cant authenticate using other web browser (Firefox and Netscape).
In PAM, SAP says that web browser based on mozzila 1.7.x is also supported, and from this version on, Firefox and Netscape, both, support NTLM.
NTLM Authentication in portal, still be supported with IE web browser?
Thanks and Regards,
PaulHi Paul,
I suspect that although it may not be officially supported, it will work. The main thing is that a frontend web server perform the NTLM authentication and pass the header variable back to the J2EE engine. By the time the header gets back to the J2EE engine, I dont think the portal has any idea how the header REMOTE_USER was generated, just that it was.
Not positive though, as I havent tested the scenario you describe below..just thought I'd throw in my two cents.
Marty
Maybe you are looking for
-
I have created my first template in dreaweaver (CS3). The editable region works except for one small problem... I cannot change the style. It will not allow changing any content from H2 tag & Style 2. My original template for this editable region
-
Problem in Converting a Web App to a Desktop App
Hi all, I am just new to Flex! I have a "web application" and I want to convert it to an "Air application". I use the "Add/change project type" in the context menu. As I found here, this process rewrites the Appliaction tag with WindowedApplication i
-
Hi All, Can anyone redirect me to the url to download standalone oc4j 1.0.2.2.2 because at below this url http://otn.oracle.com/software/products/ias/htdocs/winsoftold.html I could see only Version 1.0.2.2.1 and Version 1.0.2.2 for download. Thanks &
-
Any method to query inventory by period
I need to get the inventory by specific date range, other than using material doc to calculate the inventory(I afraid the performance issue), Any other method can i use. Thanks!
-
Numbers: how to edit multiple "sheets" "tables" all at the same time
I have read earlier posts from 2004 about this topic. Hoping things have changes. I have 19 sheets/tables in a numbers file "Pigeonrecords.numbers". I would like to globally alter all of them a one time as new columns or rows are needed and or data t