Get Mykuler w/ authenticated user?

Similar Messages

• How can I stop authenticated users from getting other user's information?

  We recently discovered that it is possible for authenticated users, via KMu2019s details view, to view details about the other users that have access to the same resource as you.  Our portal (7.0 sp15) is used for an external facing web site.  We have secured it against anonymous users but the problem still remains for authenticated users.  Here is an example:
  The KM folder documents\Public Documents has been assigned read permissions for the group Everyone.  An authenticated user can open the URL https://<host>/irj/go/km/navigation/documents/Public%20Documents and a list of folders are shown.  The user can then select the Details from the menu for one of the folders and the Details iview is displayed.  They then select the menu item Settings > Permissions and the users/groups/roles assigned to this folder are shown.  The user can then select a user and view that users name and email address or the user could select a group and view for each member of the group the user id, name, and email address which could then be used to help attack the site.
  So I thought it would be easy enough to disable the details view for all users but content managers or administrators but I seem to running into difficulty. 
  I tried disabling the Details KM command with limited success.  Even with it disabled, if you know the URL for the details component you can still access it.  So it seems the better option is to take away access to the details component.  It seems that the users are getting access to the Details iView from the standard eu_role.  If I remove the iView from this role then all user have no access to the Details in KM.  I tried to add the iView to another role that content managers would have but when logged in with a user that had that other role I still was not able to access the Details iView. 
  This SAP Help document [http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm |http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm ]discusses the eu_role(Standard User role) and it states that
  By default, the Everyone group is assigned to the Standard User role. If you choose to use the other every user roles instead, you need to remove these assignments from the Standard User role and apply them to the Every User Core and Control Center User roles.
    But, when I look at what groups the role is assigned to or what roles are assigned to the Everyone group they donu2019t appear to be linked contrary to what the documentation says.  So, what Iu2019m thinking here is that I can create a copy of this role and remove the Details iView from the original and then assign the copy to the content managers and administrators.  Doing this causes all users to lose access, even the content managers.
  I thought Iu2019d give the Security Zones a try to see if this could help me but when I take away rights from here it still allows access.
  Iu2019m stumped.  Iu2019m sure there is some key piece that eludes me.  What can I do to allow users read only access to some KM folders and files while preventing them from viewing the permission/user details?

  The only 3d party apps are Hazel...
  And that's your problem!
  From the Hazel site's description:
  Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create.
  Hazel, is a prefPane so you must have some rule (or it supplied the rule as a default) to put pictures (jpg's) from your Desktop (folder) into your Pictures folder.
  Open your System Preferences and Hazel in there and either turn off Hazel or change or delete the appropriate rule covering this situation.

• NT Authority\Authenticated Users cant able to get back the users

  While deleting the group user i accidentally deleted the
  NT Authority\Authenticated Users now i cant able to call "NT Authority\Authenticated Users" the
  users in the site .how to get back to the users to the site. help me to add the NT users back thanks.
   

  Hi Sundhar,
  According to your description, my understanding is that you could not find
  NT Authority\Authenticated Users after someone removed it from People&Group(Site Actions) in SharePoint 2010.
  For this issue, you just need to manually type in “Authenticated Users” then click the user check icon instead of searching the address book for it. Once the check completes, you should see an image similar to below:
  More information, please refer to the link:
  http://appdevonsharepoint.com/what-happened-to-nt-authorityauthenticated-users-in-sp2010-sp2013/
  Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• Get authenticated user name (HTTP basic auth)

  Hi.
  How can I get the authenticated user name from a BPEL process when the service is protected with HTTP basic auth?
  I'm running SOA Suite 11.1.1.5.
  Thanks in advance.
  Mick

  Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
  All in all does this setup sound right?

• How i get user info from ldap using java after authenticating user with SSO

  Hi
  I have one jsp/bean application as a partner application with SSO.
  It works fine.
  Now i need to get other attributes of user from LDAP who has logged into the application through SSO.
  using SSO java APIs i only get username, userDN, subscriber info.
  To get user's other attribute i have to user LDAP APIs for that i have to create on Directory Context, for the same i need userpassword.
  so here i my question, how do i get user password after he has logged in thro SSO.
  regards..
  and thanking u in advance
  samir

  Valentina,
  there's no way to get the password value from the directory (it's one way). Of course you can get the hashed (MD4,MD5,SHA-1) base64 encoded value (i.e. the value you see in OiD) but not the 'password'.
  --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Get authenticated user in short-lived Workbench process

  To invoke a REST endpoint I'm required to login as this seems to be a protected resource.  In the short-lived process I would like to get the name of the logged-in user but new com.adobe.idp.Context().getAuthenticatedUser() returns null.  LC runs in the turnkey JBoss server on Windows 2003 Server with SQLServer as the LC repository.

  Can you try the following expression?
  String loggedInUserOID = patExecContext.getProcessDataStringValue("/process_data/@creator_id");
  // You should get the logged in user's unique id from the above expression.
  Nith

• How to use an authenticated user for a proxy call

  Dear all,
  I am currently working on a JEE application where the user needs to authenticate (for this I have configured the web.xml).
  Now inside this application I need to do a proxy call to a PI webservice.
  I would like to use the user credentials of the already logged in user in order to call the proxy.
  What I don't want to do is to use a service user for the proxy call.
  The code I am trying to call looks something like this:
       private IntegratedConfigurationIn getPort() throws Exception{
            IntegratedConfigurationIn port = null;
            try {
                 IntegratedConfigurationInService service = null;
                 service = new IntegratedConfigurationInService();
                 port = (IntegratedConfigurationIn) service.getIntegratedConfigurationIn_Port();
                BindingProvider bp = (BindingProvider)port;
                bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);
                bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);
                if (url.length() != 0)
                     bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);
            catch (Exception ex){
                 ex.printStackTrace();
            return port;
  The examples I found to retrieve the userdata pointed to codes similar to this one:
  public HttpServletRequest getHttpRequest() throws Exception {
            // Get runtime context
            Properties props = new Properties();
            props.put("domain", "true");
            Context initialContext = new InitialContext(props);
            ApplicationWebServiceContext wsContext = (ApplicationWebServiceContext) initialContext
                      .lookup(" /wsContext/ApplicationWebServiceContext");
            HttpServletRequest req = wsContext.getHttpServletRequest();
            return req;
  com.sap.security.api.IUser sapUser = com.sap.security.api.UMFactory.getAuthenticator().getLoggedInUser(getHttpRequest(), null);
            IUser ep5User = com.sapportals.wcm.util.usermanagement.WPUMFactory.getUserFactory().getEP5User(sapUser);
  Now I don't know how to bring it togehter and how to use an authenticated user for the BindingProvider.
  I would appreciate any hints or ideas.

  Peter,
  from the first screenshot, what I understood is that, you are calling an inbound PI web service that is intended to create an integrated configuration object (this is used for whole lot of other reason completely) but not actually calling a development web service.
  For this, you would have to generate your client classes from the WSDL provided by the PI developer for that particular service. Once you get those client classes generated, you could used the method provided in the other screenshot to extract the user and password and call the intended web service.
  Vijay Konam

• Authenticated User not showing up in access log

  Hello all,
  I am trying to get authenticated users to show up in the access log of SunOne Web Server 6.1 SP4 and it doesn't work. It is a default paramter to show up in the access log but doesn't show in the log. In fact, when I set the log to only show the authenticated user in the log, the log is empty and only shows dashes. As you can in the part of the log file below, after the IP address the log should show the authenticated user but doesn't
  Any help? Do I need to modify something else in a configuration file?
  Thanks
  Richard
  10.64.8.62 - - [15/Jul/2007:00:42:28 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:43:43 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:44:58 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:46:14 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:47:29 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:48:44 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:49:59 +0200] "GET / HTTP/1.1" 200 202
  10.65.1.63 - - [15/Jul/2007:00:51:14 +0200] "GET /Windchill/ HTTP/1.1" 200 402
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/wtcore/js/com/ptc/core/ca/web/misc/content.js HTTP/1.1" 200 4132
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/cut.gif HTTP/1.1" 200 104
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/newdoc.gif HTTP/1.1" 200 215
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/details.gif HTTP/1.1" 200 214
  10.65.1.63 - - [15/Jul/2007:00:51:14 +0200] "GET /Windchill HTTP/1.1" 302 0
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/javascript/util/calendar.js HTTP/1.1" 200 29580
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/contract_comp.gif HTTP/1.1" 200 79
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/newfoldertl.gif HTTP/1.1" 200 221
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/ptclogo.gif HTTP/1.1" 200 1284
  10.64.8.62 - - [15/Jul/2007:00:51:14 +0200] "GET / HTTP/1.1" 200 202

  You didn't say how the server is authenticating the user. Is it succesful? ACLs or Java?
  6.1sp4 is obsolete, update to the latest 6.1 service pack first. If you're using Java, I believe there was a bug years ago that was along the lines of your description. Update to the latest 6.1 service pack and if that doesn't solve the problem, provide more details on how the authentication is configured.

• Workspace Credential Conflict between Logged-in User and the Authenticated User

  Hi there,
  I am running LiveCycle ES Update1 SP2 with Process Management component on WIN/JBoss/SQL Server 2005.
  I have been encountering user credential conflicts from time to time, but it has not been consistent and the problem manifested in various ways, such as:
  - problem when logging in with error "An error occurred retrieving tasks." on the login screen
  - user logs in successfully but is showing somebody else queue(s) with his/her own queue with no task in there
  - fails to claim task from group queue.
  The stacktrace from the server.log file I collected from a production system shows the exception below.
  Has anybody else encountered the similar problem?
  It looks to me that it doesn't log out cleanly and some kind of caching is done on the authenticated session and is not cleaned up properly on user logout.
  2009-07-10 15:05:13,955 ERROR [com.adobe.workspace.AssemblerUtility] ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
  2009-07-10 15:05:13,955 INFO  [STDOUT] [LCDS] [ERROR] Exception when invoking service 'remoting-service': flex.messaging.MessageException: ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
    incomingMessage: Flex Message (flex.messaging.messages.RemotingMessage)
      operation = submitWithData
      clientId = F3D2CDD0-330F-F00B-C710-5AF3F7CB4138
      destination = task-actions
      messageId = 7E385A6B-E4E6-3A81-CD6A-630DF4FAE5BB
      timestamp = 1247202313955
      timeToLive = 0
      body = null
      hdr(DSEndpoint) = workspace-polling-amf
      hdr(DSId) = F3C38977-171B-7BED-3B16-F3A5FE419479
    Exception: flex.messaging.MessageException: ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
      at com.adobe.workspace.AssemblerUtility.createMessageException(AssemblerUtility.java:369)
      at com.adobe.workspace.AssemblerUtility.checkParameters(AssemblerUtility.java:561)
      at com.adobe.workspace.tasks.TaskActions.callSubmitService(TaskActions.java:788)
      at com.adobe.workspace.tasks.TaskActions.submitWithData(TaskActions.java:773)
      at sun.reflect.GeneratedMethodAccessor941.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at flex.messaging.services.remoting.adapters.JavaAdapter.invoke(JavaAdapter.java:421)
      at flex.messaging.services.RemotingService.serviceMessage(RemotingService.java:183)
      at flex.messaging.MessageBroker.routeMessageToService(MessageBroker.java:1495)
      at flex.messaging.endpoints.AbstractEndpoint.serviceMessage(AbstractEndpoint.java:882)
      at flex.messaging.endpoints.amf.MessageBrokerFilter.invoke(MessageBrokerFilter.java:121)
      at flex.messaging.endpoints.amf.LegacyFilter.invoke(LegacyFilter.java:158)
      at flex.messaging.endpoints.amf.SessionFilter.invoke(SessionFilter.java:44)
      at flex.messaging.endpoints.amf.BatchProcessFilter.invoke(BatchProcessFilter.java:67)
      at flex.messaging.endpoints.amf.SerializationFilter.invoke(SerializationFilter.java:146)
      at flex.messaging.endpoints.BaseHTTPEndpoint.service(BaseHTTPEndpoint.java:278)
      at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:315)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:252)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at com.adobe.workspace.events.RemoteEventClientLifeCycle.doFilter(RemoteEventClientLifeCycle .java:138)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:202)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:202)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
      at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja va:159)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11P rotocol.java:744)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
      at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
      at java.lang.Thread.run(Thread.java:595)
  Kendy

  I am having the same server issue and i cant get hold of SP3 to fix it. can anyone tell me how to fix this problem or provided a link where i can get SP3 from? Ive spent most of the day on the phone to Adobe Support and they have been unable to provide me with a link to the service pack.

• Username not showing up in access log for authenticated users

  I'm using form-based authentication in a Java web application on Sun One Web Server v6.1 to restrict access to authenticated users. However, even after the users authenticate and access the application, the username field in the access log is showing them as anonymous.
  request.getRemoteUser() is reporting the correct username, so it just seems to be the access log that is in error. Right now it is set to the default but changing formats to custom doesn't seem to help in displaying the username.
  Here's an excerpt from the access log:
  // anonymous access attempt, redirects to login page...
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/index.jsp HTTP/1.1" 302 0
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/login.jsp HTTP/1.1" 200 3355
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "POST /profile/j_security_check HTTP/1.1" 302 0
  // at this point they are logged in and their username should be reflected in the access log, but is not:
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "GET /profile/index.jsp HTTP/1.1" 200 3532 And the relevant code from the web application's web.xml:
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>AllFiles</web-resource-name>
        <description>
                   Restricts anonymous access.
                </description>
        <url-pattern>/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>
                 Authenticated Users
                </description>
        <role-name>user</role-name>
      </auth-constraint>
    </security-constraint>I've searched the forums and the manuals but can't see anything showing that the access log's username field doesn't work with form-based authentication. Can anyone shed some light on this?

  Some background:
  The Java Servlet container has its own authentication infrastructure (which is what you configure in web.xml) which is separate from the non-Java authentication infrastructure (ACLs, etc.). If you set up authentication via ACLs the resulting user identity can (though you may configure it not to) propagate to the Java Servlet container such that request.getRemoteUser() will return it, even though no web.xml-driven authentication occurred. The coverse is not true, however: if you authenticate via a Java Realm, based on web.xml configuration, that user identity is not available to non-Java code.
  (Your web.xml snippet doesn't show you using FORM auth - but it doesn't matter, the explanation above applies in any case.)
  That is why the log file (generated from non-Java code) doesn't have access to that user. It probably should, but there's no config option today for you to make that happen.
  If you're using BASIC auth you may consider moving the authentication configuration from web.xml to ACLs as a possible workaround. It will then show up in the access logs.
  If you prefer web.xml-based authentication, consider the <SECURITY audit="true"> option in server.xml. It won't be in the access log but you'll have an audit trail of authentications, which may help.

• Authenticated Users Group Question

  I have a quick question regarding the Authenticated Users "group". I used to be a systems administrator, but I'm a bit rusty since I've been a software developer for the last 10 years. A conflict with data center operations (DCO) group
  at work lead me to get another opinion.
  The question is this... is the authenticated users group a domain-level group or is there a local authenticated users group that would allow only users authenticated locally? We have a share that permits the authenticated users group access.
  My opinion is that all domain users who have authenticated successfully have access to this share. The DCO group is telling me that this is the local (to the server containing the share of course) authenticated users group only.
  Is there such a thing as a local-only authenticated users group? To me this doesn't even make sense, but I could very well be wrong.
  Nathon Dalton
  Sr. Software Engineer
  Blog: http://nathondalton.wordpress.com

  I apologize. I don't think I explained myself correctly. Let's consider the following...
  SERVER: SERVER1
  DOMAIN: DOMAIN1
  SHARE: \\SERVER1\SHARE1
  SHARE PERMISSIONS: Authenticated Users - Full Control
  Given the above information, is it possible that the Authenticated Users group will allow ONLY users that are defined on SERVER1 to access \\SERVER1\SHARE1?
  My understanding is that's not possible. There's one defined Authenticated Users group and that represents ALL users that are authenticated against DOMAIN1, whether added to local groups, shares, etc.
  What I'm being told however is that SHARE1 having Authenticated Users assigned is okay since only those user accounts defined on SERVER1 will be able to access it. All the users in the domain will NOT be able to access it. I think this is bogus. Am I wrong?
  Nathon Dalton
  Sr. Lead Developer
  Blog: http://www.nathondalton.com

• Sharepoint 2010, after restore, webpart only can viewd by authenticated users in the public page.

  Hi, I restore a Site from one server to other which have a different domain.
  I installed the wsp files, I published the page, I check for the site pages and everything is ok but, when I visit the page as normal
  user from internet, I get the next error when I visited the pages with webparts.
  When I visit the page with an authenticated user, that show me the webpart normaly.
  I try to check for permissions in the page, I click page permissions
  or library permissions and shows the next:
  Shows me the same error.
  Any ideas?
  Thanks a lot!!

  Hi,
  As I understand, after you restored the site from one server to other server you encountered the error.
  1. From the error you provided, it seems that it cannot find relative files, it is possible that you did not restore the site fully. You can restore the site again. 
  2. You can check the ULS log with the correlation ID, and get the details of the errors. You can fix the problems according to the details of the errors. 
  The case below is about there are several ways to backup and restore site in SharePoint 2010, you can refer to the case.
  http://sharepoint.stackexchange.com/questions/34639/problem-restoring-sharepoint-from-backup 
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

  I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
  to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
  Users group to negotiate the site with NO password challenge at all.
  tconners

  This generally means that your SPN is not set up correctly.  Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance.  You should set an SPN similar to setspn -s http/lance.contoso.com
  corp\lance.  In your browser, you should now be able to access the SSP without prompts.  However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com.  Since you are entering
  an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication.  By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
  Kerberos.
  I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.

• Cisco 1602i + Authenticating users via RADIUS?

                 Hello,
  Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:
  aaa new-model
  aaa group server radius rad_eap
  server 10.200.5.24
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -5 0
  ip cef
  ip domain name gst
  dot11 syslog
  dot11 vlan-name guest vlan 255
  dot11 vlan-name user vlan 140
  dot11 ssid phoenix_2
     vlan 140
     band-select
     authentication open eap eap_methods
     mbssid guest-mode
  dot11 ssid walker_2
     vlan 255
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 0353035E535879191B
  interface BVI1
  ip address 10.200.5.70 255.255.255.0
  ip default-gateway 10.200.5.1
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.200.140.1
  ip route 0.0.0.0 0.0.0.0 10.200.5.1
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  snmp-server community G!0bal RO
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
  radius-server vsa send accounting
  The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

  Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
  I haven't tried the "erase startup-config" command yet, I will try that next. 
  Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

• How to make an user into Service authenticated user like cmadmin_service

  Hi All,
  I am trying to fetch the list of documents, properties, log on/logoff functionality with an iUser  ex: epuser, through java code.
  The list of docs are presented in the Documents Folder with teh following sample code
               |
  RID rid = RID.getRID("/documents");
  String userName = "epuser";
  IUserFactory userFactory = UMFactory.getUserFactory();
  com.sap.security.api.IUser userNew;
  userNew = userFactory.getUser(userName);
  com.sapportals.portal.security.usermanagement.IUser user = WPUMFactory.getUserFactory().getEP5User(userNew);
  ctx.setUser(user);
  IResource res = null;
  res = ResourceFactory.getInstance().getResource(rid, ctx);
  wnen i am trying to fetch all the docs and the corresponding properties by passing " cmadmin_service " as an user name. i am getting the right results. But when i tried with "epuser " i am getting the output as Service Authentication value false.
  Then i added epuser in the System Principal--->System User. still i am not getting the right results.
  plz help me how to make this epuser as service authenticated user like cmadmin_service user

  Hi phani,
  I have no direct solution but you should check the service permissions of the resources you are trying to fetch. The exception sounds like there is the problem. Go to the Details of the CM-Resource and Select Settings-->Service Permissions.
  Does the epuser has the necessary permissions for your operations?
  Another thing is the way you are creating users:
  The WPUMFactory has a special factory-method for creating service users. Perhaps this is a better aproach:
  WPUMFactory.getServiceUserFactory().getServiceUser(user);
  Best regards,
  Stefan Brauneis