FTPS certificate hash BT2010
Hey Folks,
I have been trying to get FTPS Adapter to work in BT 2010 for two days and can't seem to crack it.
I keep getting the Windows Event Log Error 'The adapter "FTP" raised an error message. Details "Unable to connect to FTP server "xxx.xxx.xxx.xxx" as user "xxxx". Inner Exception details: "The specified client certificate hash is invalid. Provide a valid
client certificate hash. ". ".'
I have logged into the machine as the same account as the host instance is running as, added the certificate to the personal store and the trusted route store, taken the hash from the certificate and populated it in the SSL Section of the Adapter as depicted
on Mikael's blog post on it http://blogical.se/blogs/mikael/archive/2010/09/26/how-to-use-the-new-ftps-adapter-with-biztalk-2010.aspx
I can connect with an FTP client from the same box and have been able to replicate this on two separate machines (one inside the firewall) and another on a 3G network.
I have followed Thiago's Hotrod post on this and also granted the RecieveHost user account Manage Private Keys on the cert.
The FTP log files don't show anything, just some inital communication between BizTalk and the FTP Server but no certificate errors etc...
Can anyone shed any light on what I'm missing?
Cheers
Hi,
Dan has a good point about storing the key and account. Host for FTP adapter runs in a certain host instance. The account for that host instance needs to have access to the certificate. You there need to log in to your machine and place the certificate
in the appropriate certificate store. The resources below can help you out.
For a checklist of steps to install the certificates see:
Checklist: Installing and Configuring Certificates:
http://msdn.microsoft.com/en-us/library/gg634541%28v=BTS.70%29.aspx
Beside the checklist you can review these resources on MSDN:
Best Practices for Managing Certificates :http://msdn.microsoft.com/en-us/library/gg634535%28v=BTS.70%29.aspx
Known Issues with Certificates in BizTalk Server :http://msdn.microsoft.com/en-us/library/gg634590%28v=BTS.70%29.aspx
Installing and Configuring Digital Certificates :http://msdn.microsoft.com/en-us/library/gg634475%28v=BTS.70%29.aspx
BizTalk Server uses two types of certificate stores, the Other People certificate store for public keys, and the Personal certificate store for each host instance service account for the private key:
Certificate Stores that BizTalk Server Uses :http://msdn.microsoft.com/en-us/library/aa559322%28v=BTS.70%29.aspx
Display Certificate Stores :
http://technet.microsoft.com/en-us/library/cc725751.aspx
HTH
Steef-Jan Wiggers
Ordina ICT B.V. | MVP & MCTS BizTalk Server 2010
http://soa-thoughts.blogspot.com/ |@SteefJan
If this answers your question please mark it accordingly
BizTalk
Similar Messages
-
Hi All,
below is my requirement,
i have pick files from FTPS and place files also in FTPS.
what is the exchange mechanism certificates? does I have to take the FTPS cerificate and install in PI / should I give any SAP PI certificate vendor and ask him to install in FTPS?
please let me know the procedure?
Thank You,
MadhavHi Madhav,
If your customer really have a security standard to exchange while intercating FTPS then you have to deploy the serticiates on PI server.
But you have different options while configure FTPS adater,chech below my blog.
How to configure FTPS in File Adapter.
Regards,
Raj -
BizTalk 2010 Send FTPS - when is my client certificate needed?
Based on this
post, it's very unclear if a certificate is needed or not (in the Client Certificate Hash). The most important quote I got out of that post is this:
"I reached out to MS BizTalk support and they asked me not to use the certificate and just use FTP over SSL without certificate. We also changed the ftp firewall mode to passive and allocate storage to no."
If FileZillaClient can connect and send a file to a customer/vendor without a local certificate, then why would BizTalk need one in an FTP SendPort?
And secondly, if it is not needed, in what circumstances would you use it on an FTP SendPort.
It's my understanding that the certificate is some certificate related to the BizTalk host account's personal store on the BizTalk machine, and not the thumbprint of the customer/vendor we are communicating with.
For BT2013 this is
MSDN's mysterious definition:
> Specify the SHA1 hash of the client certificate that must be used in
> the Secure Sockets Layer (SSL) negotiation.
>
> Based on this hash, the client certificate is picked up from the
> personal store of the user account under which the BizTalk host
> instance is running.
This statement gives no guidance as to when it is needed or desired.
This is the
other good blog on the subject, but also implied cert is needed, in contradiction to Microsoft support in early link.
Thanks,
Neal Walters
http://MyLifeIsMyMessage.netHi,
#How to use the new “FTPS adapter” with BizTalk 2010
http://blogical.se/blogs/mikael/archive/2010/09/26/how-to-use-the-new-ftps-adapter-with-biztalk-2010.aspx
And it should work with self-signed cert.Please refer to the demo:
http://blogs.msdn.com/b/biztalknotes/archive/2014/10/10/using-ftps-adapter-in-biztalk-ftp-ssl.aspx
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
How to configure certificates for FTPS
Hi, ALL,
I have to send FTP files to and from outside server using like (SAP XI proxy>FTP, FTP>SAP Xi proxy). I would like to use secure FTP (FTPS). How I can configure it in both sender and receiver FTP adapter? Does the certificate at XI has to be signed by Trusted authority or I can do self signed? Does the outside server need to get the FTP certificate also? Can anybody provide step by step solution?
<promising_points_removed_by_moderator>
Thanks a lot!
MeiyingHi,
It depends if the FTP server certificates are signed for a CA installed in TrustedCA view. The TrustedCA view is a netweaver administration option included in Keystore application.
For example, if the FTP server certificate is signed by verising, SAP contains the certificate of verising installed in TrustedCA, therefore you not have to do anything, but if the server certificate is a certificate created for you, you will have to install the CA wich you signed the certificate.
In my case, I put files into a FTPs server that have a certificate signed by verisign and I haven't to do anything in TrustedCA view because the CA was installed.
In FTP adapter you must to select the FTPS option to communicate to FTP server through SSL.
Best regards
Iván
Edited by: Carlos Ivan Prieto Rubio on Mar 25, 2009 8:10 PM -
Obtaining client certificate in servlet using apache + tomcat
Hi,
I'm porting a webapplication from Javawebserver to Apache/1.3.6 (Win32) mod_jk mod_ssl/2.2.6 OpenSSL/0.9.2b
The application needs to get the client certificate hash code.
Using Javawebserver I used
request.getAttribute ("javax.net.ssl.cipher_suite");
request.getAttribute("javax.net.ssl.peer_certificates");
etc
How do I set up the apache webserver so that I can read the client certificate and what is the attribute called?
I've tried this in the httpd.conf:
SSLOptions +ExportCertData
And the attribute:
"SSL_CLIENT_CERT"
Like it says in the Tomcat documentation.
I'm not sure if I need to set up Tomcat as well..
Any help would be greatly appriciated!
Sincerely,
AM HjemaasYup use ajp13 not ajp12 or mod_webapp
refer to http://www.galatea.com/flashguides/apache-tomcat-24-win32.xml on setting up..
THIS IS IMPORTANT!!!
use Apache mod_jk.dll diretive:
JkEnvVar Apache_Env_Var FORWARD_ALIAS
this will send a apache environment variable (http://myapache/cgi-bin/printenv.pl to see whats available) to Tomcat
JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
Then in Tomcat servlet use request.getAttribute("SSL_CLIENT_CERT") to get the cert in PEM format
Hope this helps
Jay -
How to fetch certificates issued in past
Hi,
I have a long list of templates issued in my Client's Issuing CA, some of them are not in use. If I try to export " Issued Certificates" list from CA, it hangs.
I want to know how many certificates and last certificate issed from a specific template for fine-tuning and seggregation purpose. Please let me know how we can check that status.
Thanks
Neha GargHi Paul,
I am getting the output like this :
C:\Windows\system32>certutil -view -restrict "certificate template=<1.3.6.1.4.1.
311.21.8.10269956.2688026.1196953.3333800.9810006.227.1092942.575204>"
Schema:
Column Name Localized Name Type MaxLength
Request.RequestID Request ID Long 4 -- Index
ed
Request.RawRequest Binary Request Binary 65536
Request.RawArchivedKey Archived Key Binary 65536
Request.KeyRecoveryHashes Key Recovery Agent Hashes String 8192
Request.RawOldCertificate Old Certificate Binary 16384
Request.RequestAttributes Request Attributes String 32768
Request.RequestType Request Type Long 4
Request.RequestFlags Request Flags Long 4
Request.StatusCode Request Status Code Long 4
Request.Disposition Request Disposition Long 4 -- Index
ed
Request.DispositionMessage Request Disposition Message String 8192
Request.SubmittedWhen Request Submission Date Date 8 -- Index
ed
Request.ResolvedWhen Request Resolution Date Date 8 -- Index
ed
Request.RevokedWhen Revocation Date Date 8
Request.RevokedEffectiveWhen Effective Revocation Date Date 8 -- Index
ed
Request.RevokedReason Revocation Reason Long 4
Request.RequesterName Requester Name String 2048 -- In
dexed
Request.CallerName Caller Name String 2048 -- In
dexed
Request.SignerPolicies Signer Policies String 8192
Request.SignerApplicationPolicies Signer Application Policies String 8192
Request.Officer Officer Long
4
Request.DistinguishedName Request Distinguished Name String 8192
Request.RawName Request Binary Name Binary 4096
Request.Country Request Country/Region String 8192
Request.Organization Request Organization String 8192
Request.OrgUnit Request Organization Unit String 8192
Request.CommonName Request Common Name String 8192
Request.Locality Request City String 8192
Request.State Request State String 8192
Request.Title Request Title String 8192
Request.GivenName Request First Name String 8192
Request.Initials Request Initials String 8192
Request.SurName Request Last Name String 8192
Request.DomainComponent Request Domain Component String 8192
Request.EMail Request Email Address String 8192
Request.StreetAddress Request Street Address String 8192
Request.UnstructuredName Request Unstructured Name String 8192
Request.UnstructuredAddress Request Unstructured Address String 8192
Request.DeviceSerialNumber Request Device Serial Number String 8192
RequestID Issued Request ID Long 4 -- Index
ed
RawCertificate Binary Certificate Binary 16384
CertificateHash Certificate Hash String 128 -- Ind
exed
CertificateTemplate Certificate Template String 254 -- Ind
exed
EnrollmentFlags Template Enrollment Flags Long 4
GeneralFlags Template General Flags Long 4
PrivatekeyFlags Template Private Key Flags Long 4
SerialNumber Serial Number String 128 -- Ind
exed
IssuerNameID Issuer Name ID Long 4
NotBefore Certificate Effective Date Date 8
NotAfter Certificate Expiration Date Date 8 -- Index
ed
SubjectKeyIdentifier Issued Subject Key Identifier String 128 -- In
dexed
RawPublicKey Binary Public Key Binary 4096
PublicKeyLength Public Key Length Long 4
PublicKeyAlgorithm Public Key Algorithm String 254
RawPublicKeyAlgorithmParameters Public Key Algorithm Parameters Binary 4096
PublishExpiredCertInCRL Publish Expired Certificate in CRL Long 4
UPN User Principal Name String
2048 -- In
dexed
DistinguishedName Issued Distinguished Name String 8192
RawName Issued Binary Name Binary 4096
Country Issued Country/Region String 8192
Organization Issued Organization String 8192
OrgUnit Issued Organization Unit String 8192
CommonName Issued Common Name String 8192 -- In
dexed
Locality Issued City
String 8192
State Issued State
String 8192
Title Issued Title
String 8192
GivenName Issued First Name String 8192
Initials Issued Initials String 8192
SurName Issued Last Name String 8192
DomainComponent Issued Domain Component String 8192
EMail Issued Email Address String 8192
StreetAddress Issued Street Address String 8192
UnstructuredName Issued Unstructured Name String 8192
UnstructuredAddress Issued Unstructured Address String 8192
DeviceSerialNumber Issued Device Serial Number String 8192
Maximum Row Index: 0
0 Rows
0 Row Properties, Total Size = 0, Max Size = 0, Ave Size = 0
0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
0 Total Fields, Total Size = 0, Max Size = 0, Ave Size = 0
CertUtil: -view command completed successfully.
but it doesnt give me the output that I am looking for. I want to know details of last certificate issued by a given template and its validity status.
Please let me know if I need to make any changes in command.
Thanks
Neha Garg -
SSTP problem on Windows Server 2008 r2, clients getting error 0x8007274C
PROBLEM: Clients keep getting error 0x8007274C when attempting to connect to the VPN server using SSTP.
SYMPTOMS:
- L2TP connections works great
--- L2TP connections generate RemoteAccess events in Event viewer, but none whatsoever for the failed SSTP attempts
- Client CANNOT ACCESS
https://vpn.mycompany.net/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}
- After several attempts to check and recheck RRAS Setup. Added IIS Role (much later) just to prove that cert is valid.
--- If server's RRAS service disabled, IIS enabled, client is able to browse to that VPN server, certificate checks out.
http://vpn.mycompany.net &
https://vpn.mycompany.net.
--- However, if RRAS service is running, IIS would not respond to either HTTP nor HTTPS traffic.
--- SSTP won't work whether or not WWW service is running.
- Port Scanner tests to the VPN Server reveals that port 80 & 443 are not open when RRAS service is running and IIS service stopped.
--- But, when RRAS service is stopped and IIS is running, port 80 & 443 responds.
--- Not sure whether 443 is [b]supposed to be open[/b] when only RRAS is running.
============================================================================
CLIENT:
============================================================================
- Vista SP1 (32-bit), Windows 7 (32-bit), Windows 7 x64 SP1
- CRL entry is resolvable
- vpn.mycompany.net certificate installed in Local Computer > Trusted Root CA
- SSTP Client connecting to FQDN vpn.mycompany.net
- Windows Firewall is DISABLED (for testing purposes)
- No Anti Virus nor Anti Malware protection running (for testing purposes)
- Can access other HTTPS sites
============================================================================
SERVER (Windows 2008 Svr r2; Roles: DNS, AD, RRAS):
============================================================================
- 2 NICS (1 bound to an internal IP, 1 bound to an external IP addr)
-- External NIC bound to a valid ISP IP Address, with a FQDN vpn.mycompany.net
- Windows Firewall Service on Server DISABLED
- No other device in front of the external IP addr NIC
- IPV6 on RRAS DISABLED
- NO RRAS Inbound/Outbound filter at all
- Windows Firewall Service disabled
- Using external Certificate Authority
- Certs bound to port 443 seem to match in registry key HKLM\...\SstpSvc\Parameters
It seems that the VPN server is simply not accepting the SSTP traffic. I don't think we've even gotten to certificate negotiation.
Been trying for a few days now, have consulted many SSTP online resources (MS and others) before posting.
Am stumped. Any help would be greatly appreciated.
============================================================================
SERVER CONFIGURATION CHECKLIST:
============================================================================
SERVICE_NAME: remoteaccess
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
============================================================================
SERVICE_NAME: sstpsvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
============================================================================
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 192.168.2.109:3268 192.168.2.116:45443 ESTABLISHED 500
TCP [::]:443 [::]:0 LISTENING
4
UDP 0.0.0.0:59443 *:*
1616
UDP 0.0.0.0:60443 *:*
1616
UDP 0.0.0.0:61443 *:*
1616
============================================================================
SSL Certificate bindings:
IP:port : 0.0.0.0:443
Certificate Hash : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d
Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier :
Ctl Store Name :
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : [::]:443
Certificate Hash : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d
Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier :
Ctl Store Name :
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
============================================================================
Selected (some, not all) Info about Certificate bound to SSTP viewed through RRAS MMC:
Version: V3
Valid To: Thursday, August 30, 2012 6:59:59 PM
Subject:
CN = vpn.mycompany.net
OU = nsProtect Secure Xpress
OU = Domain Control Validated
Enhanced Key Usage:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
CRL Distribution Points:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.netsolssl.com/NetworkSolutionsDVServerCA.crl
Thumbprint Algorithm: sha1
Thumbprint: 4c bf d1 fc 43 d4 fe a1 cd 9d ce 51 9a 0c 09 01 33 0a 34 3d
============================================================================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,73,00,74,00,70,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"ServerURI"="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/"
"ListenerPort"=dword:00000000
"UseHttps"=dword:00000001
"SHA1CertificateHash"=hex:4c,bf,d1,fc,43,d4,fe,a1,cd,9d,ce,51,9a,0c,09,01,33,\
0a,34,3d
"isHashConfiguredByAdmin"=dword:00000001
"SHA256CertificateHash"=hex:ee,06,d8,78,2a,8c,95,d6,a1,40,d1,80,77,2c,e5,4c,f9,\
83,a1,e4,94,60,82,28,3d,56,49,82,44,bc,1e,a9
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters\ConfigStore]
"ListenerPort"=dword:000001bb
"UseHttps"=dword:00000001
"V4CertPlumbedBySstp"=dword:00000000
"V6CertPlumbedBySstp"=dword:00000000
============================================================================
SELECTED EVENT VIEWER ENTRIES AFTER RESTART OF RRAS + SUCCESSFUL ATTEMPT OF L2TP (BUT NO ENTRIES AT ALL FOR SSTP CONN ATTEMPTS):
Level Date and Time Source Event ID Task Category
Information 8/31/2011 11:36:42 AM Microsoft-Windows-Time-Service 37 None The time provider NtpClient is currently receiving valid time data from zeus.olympia.local (ntp.d|0.0.0.0:123->192.168.2.114:123).
Information 8/31/2011 11:35:22 AM RemoteAccess 20275 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user with ip address 192.168.2.145 has disconnected
Information 8/31/2011 11:35:22 AM RemoteAccess 20272 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 on 8/31/2011 at 11:34 AM and disconnected on 8/31/2011 at 11:35 AM. The user
was active for 0 minutes 32 seconds. 17264 bytes were sent and 21956 bytes were received. The reason for disconnecting was user request. The tunnel used was WAN Miniport (L2TP). The quarantine state was 'not nap-capable'.
Information 8/31/2011 11:34:57 AM Microsoft-Windows-Iphlpsvc 4200 None Isatap interface isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD} with address fe80::5efe:192.168.2.144 has been brought up.
Information 8/31/2011 11:34:51 AM Microsoft-Windows-UserPnp 20003 (7005) Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0002 with the following status: 0.
Information 8/31/2011 11:34:50 AM RemoteAccess 20274 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 has been assigned address 192.168.2.145
Information 8/31/2011 11:34:50 AM RemoteAccess 20250 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul has connected and has been successfully authenticated on port VPN2-15.
Information 8/31/2011 11:34:49 AM RemoteAccess 20088 None The Remote Access Server acquired IP Address 192.168.2.144 to be used on the Server Adapter.
Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15007 None Reservation for namespace identified by URL prefix
https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully added.
Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15008 None Reservation for namespace identified by URL prefix
https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully deleted.
Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the running state.
Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Routing and Remote Access service entered the running state.
Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {BBF2BA88-DCC5-4D36-9256-E1C8AF602467} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {DF914ECC-AC6A-441E-A47C-57CE90C7F8B0} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
Information 8/31/2011 11:30:21 AM Service Control Manager 7036 None The Routing and Remote Access service entered the stopped state.
Information 8/31/2011 11:30:20 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the stopped state.
Information 8/31/2011 11:30:01 AM Microsoft-Windows-Eventlog 104 Log clear The System log file was cleared.
============================================================================
============================================================================Hi, I'm in the exact same situation and for once google is of no help. I have tried to get a simple connect through to my server (by using "telnet vpn.myserver.com 443") but it will only timeout. After deactivating the Windows firewall on the VPN box (which
is a virtual machine on a Hyper-V R2 SP1) I can locally telnet the VPN box and even get the special url (https://vpn.myserver.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/) to work. But this only works on the VPN box itself, no other server or client is
able to contact it. I have tried to connect from another server sitting next to the vpn box and in the same subnet (public IPs) but couldn't connect either. PPTP and L2TP connections are working but not SSTP. Another approach was to manually bind the http.sys
to specific IPs. No change. I'm fresh out of ideas. Anyone? regards, ck -
Microsoft Outlook 2010 & 2013 cannot set automatic reply settings
Hello,
We cannot seem to set automatic reply's within outlook 2010 & 2013. We have an exchange server 2010. We
can setup automatic reply through OWA absolutely fine. The error that we receive is 'Your automatic reply settings cannot be displayed because the server is currently unavailable. Try again later.
However we can setup out of office on any other office version below 2010 fine. We have run through
a number of tests and have come to the conclusion that the auto discover service is not configured correctly. I have been told to run through the following
"We need to make sure the IIS service is assigned to the certificate which includes mail.mydomainname.co.uk
name:
Enable-ExchangeCertificate -Thumbprint 62C247B3BD081D0A8B074D4A928A76E6DA3BABBA -Services
POP,IMAP,SMTP,IIS
Then restart IIS service
to apply the changes.
If the user is connect
to mailbox from external environment as your test results, it is recommended to add the autodiscover.mydomain.co.uk name in your certificate with IIS service. If so, the autodiscover
service can be accessed successfully in your posted second steps(https:/autodiscover.mydomain.co.uk/autodiscover/autodiscover.xml). Alternatively, if you don’t want to change your certificate configuration, we need to create a new SRV record for mail.mydomainname.co.uk
to make your autodiscover succeed in last steps of Srv Record lookup method".
So I followed this and opened Exchange Managemnet Shell and ran the following.....
'Enable-ExchangeCertificate -Thumbprint 62C247B3BD081D0A8B074D4A928A76E6DA3BABBA -Services POP,IMAP,SMTP,IIS'
The following output was displayed:
"VERBOSE: Connecting to SERVER2011.EXCHANGE.local
VERBOSE: Connected to SERVER2011.EXCHANGE.local.
[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 62C247B3BD081D0A8B074D4A928A76E6DA3BABBA -Services POP,I
MAP,SMTP,IIS
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'SERVER2011.EXCHANGE.local'
because the CA-signed certificate with thumbprint '71ADF367E190E269C1036BBF4A09C55E62536791' takes precedence. The
following receive/send connectors match that FQDN: Default SERVER2011.
WARNING: This certificate will not be used for external TLS connections with an FQDN of
'mail.companyname.co.uk' because the CA-signed certificate with thumbprint
'67ECB1A383CBD05424C58F6A5E753C9377F49D3D' takes precedence. The following receive/send connectors match that FQDN:
Windows SBS Internet Receive SERVER2011, Fax/Printer.
Confirm
Overwrite the existing default SMTP certificate?
Current certificate: '67ECB1A383CBD05424C58F6A5E753C9377F49D3D' (expires 09/08/2015 09:06:17)
Replace it with certificate: '62C247B3BD081D0A8B074D4A928A76E6DA3BABBA' (expires 06/08/2015 17:05:22)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):"
I opened up 'Internet Information
Services (IIS) Manager to find 2 Server Certificates issues to 'mail.companyname'
with the certificate hash' 62C247B3BD081D0A8B074D4A928A76E6DA3BABBA' and '71ADF367E190E269C1036BBF4A09C55E62536791'.
I opened up the Exchange Management
Console to confirm that the IMAP, POP, IIS, and SMTP services are bound to both of the certificates for 'mail.companyname'.co.uk
I need to know if it is okay to proceed in replacing the certificate and running this
command.
Thank youHi,
We have this problem with some of our users, in that they get the server unavailable error when trying to activate the out of office.
In our case this is because the Proxy is blocking the connection from the PC to the Exchange, so we just go to Internet Options - Connections - LAN Settings - Advanced (under proxy server) then just add *.domain.com into the Exceptions box at the bottom.
This seems to resolve the issue and allow them to set their out of office. The only reason this reoccurs for these users is because their roaming profile for some reason won't save the proxy settings, which is a different issue.
Hope this helps. -
VPN and Remote Desktop Connection
I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
Thanks for your help.
I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.. No calls
will be accepted to this port.
A certificate could not be found. Connections that use the L2TP protocol over IPsec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.
The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.Morning Trent,
I don't know if this is still an issue for you, did you get it solved?
If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
to use on the server. -
Directaccess - IPHTTPS error 0x80190194, Server 2012R2 / Win 8.1
I'm trying to setup directaccess for our network. I already have a server in our edge network with the remote access role installed for the Web Application Proxy service, so I added the DirectAccess role service to that. According to the documentation,
if both are a single server implementation it is supported to run both of those on the same server.
I configured DirectAccess, and added a win8.1 client to the DA security group to test it. I confirmed that on the internal network, the client is able to connect to the NLS and DA shows that it is connected to the local network. However, when
on an outside network, DA just says it's trying to connect, and never does. I ran the log collection tool from the DA connection settings and found that the IPHTTPS connection shows an error code 0x80190194.
I've searched for info on this, but so far I'm not finding anything that seems to fit my situation. The responses to others with this error seem to point to a certificate issue. In my case, I'm using a wildcard certificate for our public domain
name. The cert is signed by a major public CA, so there shouldn't be any trust issues. The external DNS name that DA should connect to is RAS.domain.com and the certificate is for *.domain.com
Any suggestions on what the problem could be, or what to look at next for troubleshooting the issue, would be appreciated.
Thanks!Thank you for the reply. I ran netsh http show ssl, and the first entry returned is:
SSL Certificate bindings:
IP:port : 0.0.0.0:443
Certificate Hash : 1414baa1409b2c8ffd8c2d549f460db4bcf8130f
Application ID : {f955c070-e044-456c-ac00-e9e4275b3f04}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
That is followed by several entries for addresses related to our Lync and ADFS servers, published through Web Application Proxy. All of those have the same certificate hash listed, which makes sense since I am using the same wildcard certificate for
WAP and DA.
I did find a post or two indicating that the DS Mapper Usage may need to be set to enabled, so I tried that last week but it didn't seem to make any difference. -
Oracle and php 5.4 doesn't work
Description:
I was using php 5.3 with oracle client 11g and everything works fine. I have a wep app already in production with php5.3. I tried upgrade to php5.4, so I install in another folder XAMPP 1.8 who uses php 5.4. I tried everything to make oracle works, but I cannot connect in the database. Its really strange because in the same machine with the same remote database php 5.3 works just fine.
I am using in php 5.3 o php_oci8.dll with oracle client 11g
and with php5.4 I tried use php_oci8.dll. The error is:
ORA-12154: TNS:could not resolve the connect identifier specified
after I tried php_oci8_11g.dll and the the error is:
ORA-24315: illegal attribute type
I on a Windows Vista 64bit Machine,
Both php are 32bis,
oracle client is 32bits
The database is in another machine.
I think that everything that you need to simulate the problem is install XAMPP 1.8, enable php_oci8.dll and try run the test script.
Test script:
print_r(get_loaded_extensions());
print_r(get_extension_funcs('oci8'));
echo system('env');
echo "Client Version: " . oci_client_version();
print_r(oci_pconnect(DBUSER, DBPASSWORD, DBTNS));
print_r(oci_error());
die();
Expected result:
I was expecting that the oci_pconnect works, because the same script with php 5.3, works.
Actual result:
Array
[0] => Core
[1] => bcmath
[2] => calendar
[3] => com_dotnet
[4] => ctype
[5] => date
[6] => ereg
[7] => filter
[8] => ftp
[9] => hash
[10] => iconv
[11] => json
[12] => mcrypt
[13] => SPL
[14] => odbc
[15] => pcre
[16] => Reflection
[17] => session
[18] => standard
[19] => mysqlnd
[20] => tokenizer
[21] => zip
[22] => zlib
[23] => libxml
[24] => dom
[25] => PDO
[26] => bz2
[27] => SimpleXML
[28] => wddx
[29] => xml
[30] => xmlreader
[31] => xmlwriter
[32] => apache2handler
[33] => Phar
[34] => mbstring
[35] => exif
[36] => gd
[37] => gettext
[38] => mysql
[39] => mysqli
[40] => oci8
[41] => pdo_mysql
[42] => pdo_sqlite
[43] => soap
[44] => sockets
[45] => sqlite3
[46] => xmlrpc
[47] => xsl
[48] => mhash
Array
[0] => oci_define_by_name
[1] => oci_bind_by_name
[2] => oci_bind_array_by_name
[3] => oci_field_is_null
[4] => oci_field_name
[5] => oci_field_size
[6] => oci_field_scale
[7] => oci_field_precision
[8] => oci_field_type
[9] => oci_field_type_raw
[10] => oci_execute
[11] => oci_cancel
[12] => oci_fetch
[13] => oci_fetch_object
[14] => oci_fetch_row
[15] => oci_fetch_assoc
[16] => oci_fetch_array
[17] => ocifetchinto
[18] => oci_fetch_all
[19] => oci_free_statement
[20] => oci_internal_debug
[21] => oci_num_fields
[22] => oci_parse
[23] => oci_new_cursor
[24] => oci_result
[25] => oci_client_version
[26] => oci_server_version
[27] => oci_statement_type
[28] => oci_num_rows
[29] => oci_close
[30] => oci_connect
[31] => oci_new_connect
[32] => oci_pconnect
[33] => oci_error
[34] => oci_free_descriptor
[35] => oci_lob_save
[36] => oci_lob_import
[37] => oci_lob_size
[38] => oci_lob_load
[39] => oci_lob_read
[40] => oci_lob_eof
[41] => oci_lob_tell
[42] => oci_lob_truncate
[43] => oci_lob_erase
[44] => oci_lob_flush
[45] => ocisetbufferinglob
[46] => ocigetbufferinglob
[47] => oci_lob_is_equal
[48] => oci_lob_rewind
[49] => oci_lob_write
[50] => oci_lob_append
[51] => oci_lob_copy
[52] => oci_lob_export
[53] => oci_lob_seek
[54] => oci_commit
[55] => oci_rollback
[56] => oci_new_descriptor
[57] => oci_set_prefetch
[58] => oci_set_client_identifier
[59] => oci_set_edition
[60] => oci_set_module_name
[61] => oci_set_action
[62] => oci_set_client_info
[63] => oci_password_change
[64] => oci_free_collection
[65] => oci_collection_append
[66] => oci_collection_element_get
[67] => oci_collection_element_assign
[68] => oci_collection_assign
[69] => oci_collection_size
[70] => oci_collection_max
[71] => oci_collection_trim
[72] => oci_new_collection
[73] => oci_free_cursor
[74] => ocifreecursor
[75] => ocibindbyname
[76] => ocidefinebyname
[77] => ocicolumnisnull
[78] => ocicolumnname
[79] => ocicolumnsize
[80] => ocicolumnscale
[81] => ocicolumnprecision
[82] => ocicolumntype
[83] => ocicolumntyperaw
[84] => ociexecute
[85] => ocicancel
[86] => ocifetch
[87] => ocifetchstatement
[88] => ocifreestatement
[89] => ociinternaldebug
[90] => ocinumcols
[91] => ociparse
[92] => ocinewcursor
[93] => ociresult
[94] => ociserverversion
[95] => ocistatementtype
[96] => ocirowcount
[97] => ocilogoff
[98] => ocilogon
[99] => ocinlogon
[100] => ociplogon
[101] => ocierror
[102] => ocifreedesc
[103] => ocisavelob
[104] => ocisavelobfile
[105] => ociwritelobtofile
[106] => ociloadlob
[107] => ocicommit
[108] => ocirollback
[109] => ocinewdescriptor
[110] => ocisetprefetch
[111] => ocipasswordchange
[112] => ocifreecollection
[113] => ocinewcollection
[114] => ocicollappend
[115] => ocicollgetelem
[116] => ocicollassignelem
[117] => ocicollsize
[118] => ocicollmax
[119] => ocicolltrim
Client Version: 11.1.0.6.0
<b>Warning</b>: oci_pconnect(): in <b>C:\xampp18\htdocs\config\aguaCheiro.php</b> on line <b>25</b>
Array
=> 24315
[message] => ORA-24315: invalid atribute type
[offset] => 0
[sqltext] =>It strongly sounds like you have multiple versions of Oracle libraries and are seeing some kind of clash.
-
How to properly setup LB probe for ADFS 3.0 servers
We are facing a problem during ADFS 3.0 (Windows Server 2012 R2), because we do not find a suitable URL for hardware Load Balancer probe to test ADFS nodes.
When tried with IE browser, the URL
https://sts.adfs1.ad/adfs/ls/IdpInitiatedSignon.aspx properly results in ADFS login page but, when tried the same URL with HW LB probe, the probe gets no answer from ADFS server at all.
We compared incoming traffic with network monitor in that ADFS server node (https temporary changed to http to see the traffic), a somewhat similar HTTP GET query did exist:
GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1..Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*..Accept-Language: fi-FI..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows
NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: sts.adfs1.ad
.PV??ìà_¹«.ç..E..ð'@.ÿ.%Ƭ..ü¬..Lî¢.PL?Ëf\Mæ?...?Ä.......f;[.4..GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1..Connection: Close..Host: sts.adfs1.ad
How to properly monitor the ADFS 3.0 server nodes?
Br, Kari Oikkonen
MCITP/2008
Fujitsu FinlandPlease note that using dns name in the url opens the metadata OK, but using IP address fails, not opposite as you mentioned.
The netsh http show sslcert lists the following:
SSL Certificate bindings:
Hostname:port : sts.mydomain.com:443
Certificate Hash : 12b510eead093f8d29db950a42ecf4940c933533
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : localhost:443
Certificate Hash : 12b510eead093f8d29db950a42ecf4940c933533
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : sts.mydomain.com:49443
Certificate Hash : 12b510eead093f8d29db950a42ecf4940c933533
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
The netsh http show urlacl shows the following:
URL Reservations:
Reserved URL :
http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)
Reserved URL :
https://+:5986/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Reserved URL :
http://+:5985/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Reserved URL :
http://+:47001/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Reserved URL :
http://*:2869/
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;LS)
Reserved URL :
http://*:5357/
User: BUILTIN\Users
Listen: Yes
Delegate: No
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)
Reserved URL :
https://*:5358/
User: BUILTIN\Users
Listen: Yes
Delegate: No
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)
Reserved URL :
https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
User: NT SERVICE\SstpSvc
Listen: Yes
Delegate: Yes
User: BUILTIN\Administrators
Listen: No
Delegate: No
User: NT AUTHORITY\SYSTEM
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GR;;;BA)(A;;GA;;;SY)
Reserved URL :
http://+:80/adfs/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL :
https://+:443/adfs/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL :
https://+:49443/adfs/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL :
https://+:443/FederationMetadata/2007-06/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Any idea of how to build a probe rule with IP address? -
Problem installing patch 5.1.0.44.6
i am trying to install the newley released 5.1.0.44.6 patch on our test acs boxe
5.1 running 5.1.0.44.3 before applying it to the our production boxes and i am getting this error message.
' this system failure occurred: Failed to access respository 5-1-0-44-6, Please verify that respository credentials are valid'
i know the message is clear but the thing is i dont find any where a place for credentials of the respository that i created and i was able to upload the patch from our ftp server using it.
any ideas ???yes ftp open from my pc with the credentials
i removed the old repository and created new one
repository 5-1-0-44-6
url ftp://10.160.100.37
user ftp password hash 804817cce55176b74654eed48214d7997d0d7501
STCO1ACS1-1120/admin# patch install 5-1-0-44-6.tar.gpg 5-1-0-44-6
Do you want to save the current configuration ? (yes/no) [yes] ?
Generating configuration...
Saved the running configuration to startup successfully
% Manifest file not found in the bundle
STCO1ACS1-1120/admin#
and i tcpdump on my firewall and i saw tones of packet going forward and back ( so the communication is happening) but i got the same error message as earlier. -
HTTP 403.13 during SCCM client push
We have multiple forest connected to a shared SCCM 2012 R2 site.
The site is in SSL only mode
With one forest we have problems pushing clients from SCCM.
Install works fine but soon as the client connects to the MP we get HTTP 403.13 failures.
RootCA certs have been added to SCCM
RootCA certs of the remote forest are added both sided to trusted root CA
CRL can be checked both sides using IE.
Still IIS logs on the MP show
2014-08-07 08:14:57 managementpointip CCM_POST /ccm_system_windowsauth/request - 443 - hostip ccmhttp - 403 13 2148081683 34
ccm messaging logs show
Post to https://MPFQDN/ccm_system_windowsauth/request failed with 0x87d00231
The following registry keys have been set to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
ClientauthTrustmode REG_DWORD 2
sendtrustedissuerlist REG_DWORD 0
The strange thing is that one forest works and one not. Both are identical configured.
Firewall ports are open.Hi Torsten,
I have seen that article and yes it is CRL related. The thing is the MP is configured not to check the CRL.
Now the client push seems to ignore that value. A local install can be configured with /nocrlcheck
Still it worries me that the CRL can be accessed by the MP using a browser on the MP.
SSL Certificate bindings:
IP:port : 0.0.0.0:443
Certificate Hash : 0317e07bab17b3f16502c1623778c1abeadbfd19
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:8531
Certificate Hash : 0317e07bab17b3f16502c1623778c1abeadbfd19
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled -
Allowing jnlp via deployment rule set
Hello,
In our network, we use a deployment rule set to only allow applets that we deem necessary, and all others are blocked. This has been working fine. However recently I've been asked to add a website to the allowed list. This website downloads a jnlp file, then launches the jnlp locally, and is blocked every time. Now I'm not that well versed in java applets. But I've added the website address that this applet calls too, and have had no luck with this running. Everything I've tried has not worked.
This is a snippet of the ruleset.xml
<rule>
<id location="http://elm.elluminate.com:80/" /> <!-- Assessor Online Class -->
<action permission="run" />
</rule>
The java console has not been helpful, as the application is blocked before java even starts...after the jnlp verifies, it blocks the application due to the ruleset. How can i set this ruleset up so that this jnlp is allowed to run?Hello,
To allow a local jnlp to run without any prompts using Deployment Rule Sets, you can use a rule to allow all the applets signed with a specific certitificate:
<rule>
<id>
<certificate hash="794F53C746E2AA77D84B843BE942CAB4309F258FD946D62A6C4CCEAB8E1DB2C6" />
</id>
<action permission="run" />
</rule>
You can get your certificate hash in SHA-256 from the signed jar file following this doc:
http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/deployment_rules.html#gethash
Maybe you are looking for
-
HT2534 How can i download from two different store with the same account?
I live in both countries but my credit card is registered in a french bank, therefore it is not recognised by the Aussie store on itunes. There are apps or music i want to get form the Aussie store as well as music and other apps from the french one.
-
How can I Print a JPanel including all added Components?
Hello dear saviours, I have a JPanel object which is responsible for displaying a Graph. I need to Print the Components of this JPanel as close to what they look like to the user as possible. I thought about casting the JPanel into an Image of some k
-
Speeding up creation of network servers
Hi every one, I've seen so many requests in this form on how to handle multiple clients and socket programming in general. Most of us face this requirement in our projects and start from basic ServerSocket and Sockets every time we build servers. On
-
Change BSEG-STCEG (VAT number) in posted line items
Hello, We want to change the VAT number in the vendor line items,we set the field changeable via OB32, but field is not changeable, any idea ? Thanks
-
Unable to create stddy databbase .
I am using oracle 9.0.1 on win 2000 server platform and running into problems my proble is that i am using data guard manager to create stdby database on the same site.during the process everything goes fine but step 6 i've asked to enter the path on