Help required with ADFS 3.0 client certificate authentication

Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya Karve

Hi Yan,
Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
for authentication. If you cancel the operation, please close your browser and try again.".
I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
I am really confused now, as to whose issue this really is...
Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
Any suggestion or inputs where I could have gone wrong in the setup?
Thanks!

Similar Messages

Project Server 2010 Web services access with Client Certificate Authentication

We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.

what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

Help required with Photoshop Elements 4.0 this has been installed on my new Toshiba laptop with windows 8.1 for some 18 months and operating well. Now it will not open, message pops up saying "attempt to access invalid address" then "application not respo

Help required with Photoshop Elements 4.0 this has been installed on my new Toshiba laptop with windows 8.1 for some 18 months and operating well. Now it will not open, message pops up saying “attempt to access invalid address” then “application not responding” Suggestions how to access would be much appreciated. Tks. Stuart

What is the size of your hard disk? PSE 4 is a very old program and I suspect it is not able to access the entire hard disk on your machine. Just a thought here.

Help require with installing Adobe Acrobat onto my Macbook Pro Retina.

Help require with installing Adobe Acrobat onto my Macbook Pro Retina.
I have successfully installed all of my creative cloud apps with the exception being acrobat.
I cannot print from Indesign to PDF.
I have unistalled, reinstalled and still no Adobe Acrobat.
I now have to go back to Windows 8 and create the PDF's there.
Any one know how to get around this issue?
Thanks in advance
Kelvin

OSX has effectively killed the ability to print to pdf, (print to pdf eliminates most of the "Rich features" of current pdf).
Export from InDesign, always, excpet for the 1% of the time where you know why print to pdf would produce a better result.

Help required with (soundcard) connection / settings, thanks in advan

Help required with connection / settings between a Creative Sound Blaster Audigy Platinum EX (soundcard) and a Creative DTT3500 Digital (5. speakers).
The problem
No sound from any of the speakers. (Exception can plug in headphones at front)
Background
My computer has been recently upgraded at my local computer shop and all programs re-installed (including driver update from Creative's website). However after reconnecting speakers and restoring the original settings I?m getting no sound from any of the speakers. I?ve followed all the available advice/instructions I can find on this website and manuals to no avail.
Set-up
Physical
(Digital DIN) Speakers/decoder amplifier (DTT3500) connected to the (digital out) soundcard (Audigy Platinum EX) using minijack to DIN cable. (As per instruction manual)
Software
Creative Audio Consul ? setting as per instructions, however have tried variations in vain. (Note: above tabs there is a select device box with SB Audigy [A0000] in it ? only option. Just wondering what [A0000] means?)
Your advice please. A simple step by step guide would be appreciated, many thanks in advance, Jon

"My computer has been recently upgraded at my local computer shop and all programs re-installed (including driver update from Creative's website). "
Do you have the original installation disk?
If so, try installing THOSE drivers, ESPECIALLY if it worked before. Be sure to uninstall what is there now, first.
Its natural for most people to want the 'latest' drivers for their hardware. However:
After experiencing some difficulties with some CL 'updates' for certain products, I now avoid them UNLESS I am having a PROBLEM with the existing drivers.

SOAP -Client Certificate Authentication in Receiver SOAP Adapter

Dear All,
We are working on the below scenario
SAP R/3 System -> XI/PI -> Proxy -> Customer
In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
Cusomer gave us the WSDL file and also a Certificate for authentication.
Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
Require your inputs on Client Certificate authentication and Proxy server configuration.
Regards,
Srini

Hi
Look this blog
How to use Client Authentication with SOAP Adapter
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
Also refer to "SAP Security Guide XI" at service market place.
ABAP Proxy configuration
How do you activate ABAP Proxies?

Need help with Apache self signed client certificates.

At work we use PHPmyadmin to administer our central MySQL database.
In order to access PHPmyadmin we use self signed ssl client certificates, for our developers, so that you can only access phpmyadmin if you have a valid client certificate installed in your browser.
The ssl certificate on the webserver hosting phpmyadmin has expired now and I would like to extend it, preferrably without having to re-genereate client certificates for all users.
I'm a bit confused to the approach. Most howtos I've found deal with extending a webserver certificate. but it really just looks like they generate a new one.
Can anyone help me out with how best to approach this.
Do I simply generate a new Apache Server certificate and then use this to re-sign the existing client certificates?

As the SOAP servlet says: "Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me.", you must use the HTTP POST method and not the GET method to use SOAP.
Use setRequestMethod("POST") of class HttpURLConnection to make your HTTP connection use the POST method.
(I didn't look at all your code).
Jesper

Help required building ADF-Swing/ADF-Faces using ADF Business Components

My question is in regards to how you can go about building a light swing application to an ADF model?
In particular if I were to say that we were developing a 3-tier project whereby we had a database tier, a series of EJB-ADF façade session beans to the database (middle-tier), and a swing client communicating with the session beans (view-controller tier), how would you go about developing these screens?
In particular can we develop these screens using ADF-Faces and also ADF-Swing?
The EJB session façade beans of course are ADF app modules with customised methods. The methods would return back customised DTO objects. These DTO objects are wrappers to row objects ADF would create. This would be mainly due to making these facade beans web service enabled (Oracle state that these methods cannot return oracle.jbo objects if they are to be web service enabled).
This would be typically deployed to an app server, like Oracle App Server 10G.
Could you please have a look at this, as I am doing a lot of research into this.
eg. Taking example from oracle magazine sept/oct 2006
with slight enhancements
package oramag.frameworks.example.common;
import oracle.jbo.ApplicationModule;
import oramag.frameworks.customdto.EmployeeDTO;
public interface HRService extends ApplicationModule {
void deleteCurrentEmpAndCommit();
EmployeeDTO findEmployee(int employeeId); // new method
import oramag.frameworks.customdto.EmployeeDTO;
public class HRServiceImpl extends ApplicationModuleImpl {
public void deleteCurrentEmpAndCommit() {
Row empRow = getEmpView().getCurrentRow();
if (empRow != null) {
empRow.remove();
getDBTransaction().commit();
public EmployeeDTO findEmployee(int employeeId)() {
EmployeeDTO employeeDTO = null;
EmployeesImpl employees = getEmployees();
employees.setNamedWhereClauseParam("EmployeeId", employeeId);
employees.executeQuery();
if(employees.hasNext()) {
EmployeesRowImpl employee = (EmployeesRowImpl)employees.next();
employeeDTO = new EmployeeDTO(employee);
return employeeDTO;
public EmployeesImpl getEmployees() {
return (EmployeesImpl)findViewObject("Employees");
Now given the above code snippet, how could you turn this into an ADF-Swing/ADF Faces application so that if a user using the swing application enters an employee id, then the application will execute the query on the app server, the app server in turn returns the results to the client, and the client finally display the results. Typical MVC example.
Cheers
Rodney

The tutorial is for ADF BC used with JavaServer Faces.
While the tutorial doesn't cover it, we also support drag and drop development for Swing and visual WYSIWYG layout for Swing panels and windows, too. For a very simple example, watch screencast #4 on my blog here:
http://radio.weblogs.com/0118231/stories/2005/06/24/jdeveloperAdfScreencasts.html
One thing I have noticed is that when using ADF business components, when the app module returns a custom DTO object like the above example, it returns the data in a element structure according to the data control palette.
You don't generally ever need to create your own custom DTO's when working with ADF for use by client UI's. The only situation where can be necessary -- until we simplify this in the JDeveloper/ADF 11g release -- is when you desire to expose custom methods that can return sets/arrays of typed row structures through a web service. However, web services are not involved/required in building 3-tier Swing applications.
When dropping onto a page it does so like a string and doesnt give option to display the data in a read only form etc. Is there anything we need to do, to get the functionality.
It's more of what you don't need to do :-)
Just leverage the active data model that the ADF application module provides. You can read more about it in section 4.5 "Understanding the Active Data Model" of the ADF Developer's Guide for Forms/4GL Developers on the ADF Learning Center at http://www.oracle.com/technology/products/adf/learnadf.html). Your UI's bind to view object instances in the data model, and your UI's are automatically kept up to date without needing to write methods that return data. I short article I wrote that preceeded my writing the ADF Developer Guide content on this topis is here:
http://radio.weblogs.com/0118231/stories/2006/01/26/theAdfBusinessComponentsActiveDataModel.html
I know that when dropping a view object you get this functionality. Also was wondering if we were to pass an object of thios type back to the model it might not give us the rich functionality like input forms, like what Oracle provides if we were to drop a enitity view object.
Just use the active data model and everything becomes totally easy, with no changes required to switch between local or three-tier deployment configurations.
Trying to do everything with hand-coded DTO beans is really going the hard way.
Could you help us regarding this?

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Ssl-handshake fails with scandinavian chars in client certificate

Hello,
We've run into a problem with 2-way-ssl and certificates that have scandinavian
characters in the subject. The problem cert is used as client-certificate for
authentication and it goes like this:
1. Client surfs with http in our site, until clicks https-link that will immediately
start the ssl-handshake
2. Server presents it's trusted cert-list fine
3. PIN is being asked fine
4. Next the request processing stops on the exception below and nothing will happen
on the client side.
Certs without these äöå -chars work fine, so our guess is that they cause it,
but the certs ought to be according to specs: name-fields encoding is UTF-8 according
to RFC 2459 from year 1999. A failing example-cert is also below.
Would this be a problem with the certificate rather than BEA-implementation?
Same behavior on Windows and Solaris Weblogic 8.11 as such and with SP2 (and with
sp2 + CASE_ID_NUM: 501454 hotfix).
Best Regards,
Igor Styrman
<avalable(): 20303264 : 0 + 0 = 0>
<write ALERT offset = 0 length = 2>
<SSLIOContextTable.removeContext(ctx): 1765100>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering JSSE
SSLSocket>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
6487148>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket will
be Muxing>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
11153746>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL Version 2 with no padding>
<21647856 SSL3/TLS MAC>
<21647856 received SSL_20_RECORD>
<HANDSHAKEMESSAGE: ClientHelloV2>
<write HANDSHAKE offset = 0 length = 58>
<write HANDSHAKE offset = 0 length = 1789>
<Converting principal: OU=Class 4 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
<Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri, C=FI>
<Converting principal: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: [email protected], CN=Thawte Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<Converting principal: [email protected], CN=Thawte Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western
Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Premium
Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA>
<Converting principal: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US>
<Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore,
C=IE>
<Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri, C=FI>
<Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE>
<Converting principal: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<write HANDSHAKE offset = 0 length = 2409>
<write HANDSHAKE offset = 0 length = 4>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL3/TLS MAC>
<21647856 received HANDSHAKE>
<HANDSHAKEMESSAGE: Certificate>
PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14' for queue:
'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest failed
java.lang.NullPointerException: Could not set value for ASN.1 string object..
java.lang.NullPointerException: Could not set value for ASN.1 string object.
 at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
 at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeString(Unknown Source)
 at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
 at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
 at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
 at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
 at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
 at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
 at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
 at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown Source)
 at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown Source)
 at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
 at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
 at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
 at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
 at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
 at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
 at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
tvrGCMOrvrb5QTxVtLNr
-----END CERTIFICATE-----

BMPString is another asn1 type that can be used for certificate attributes with
non-ascii characters. The workaround is simply to use the BMPString instead of
UTF8String for that subject name attribute in the certificate request. This off-course
assumes that you can replace the certificate, and have control over what asn1
type is used for the subject name attributes in the certificate request (via a
tool options, or by generating the request yourself), so it is probably not applicable.
Pavel.
"Ari Räisänen" <[email protected]> wrote:
>
Thanks again, Pavel!
I'm filing a support case about this. You talked about a workaround (BMPString).
Could you be more spesific? I haven't talked about this issue with Igor
yet.
Regards,
Ari
"Pavel" <[email protected]> wrote:
Sounds like a bug in certicom code. It should support UTF8String.
I'd file a support case.
You might be able to use BMPString instead as a workaround.
Pavel.
"Igor Styrman" <[email protected]> wrote:
Hello,
We've run into a problem with 2-way-ssl and certificates that have
scandinavian
characters in the subject. The problem cert is used as client-certificate
for
authentication and it goes like this:
1. Client surfs with http in our site, until clicks https-link thatwill
immediately
start the ssl-handshake
2. Server presents it's trusted cert-list fine
3. PIN is being asked fine
4. Next the request processing stops on the exception below and nothing
will happen
on the client side.
Certs without these äöå -chars work fine, so our guess is that they
cause it,
but the certs ought to be according to specs: name-fields encoding
is
UTF-8 according
to RFC 2459 from year 1999. A failing example-cert is also below.
Would this be a problem with the certificate rather than BEA-implementation?
Same behavior on Windows and Solaris Weblogic 8.11 as such and withSP2
(and with
sp2 + CASE_ID_NUM: 501454 hotfix).
Best Regards,
Igor Styrman
<avalable(): 20303264 : 0 + 0 = 0>
<write ALERT offset = 0 length = 2>
<SSLIOContextTable.removeContext(ctx): 1765100>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering
JSSE
SSLSocket>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
6487148>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket
will
be Muxing>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
11153746>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL Version 2 with no padding>
<21647856 SSL3/TLS MAC>
<21647856 received SSL_20_RECORD>
<HANDSHAKEMESSAGE: ClientHelloV2>
<write HANDSHAKE offset = 0 length = 58>
<write HANDSHAKE offset = 0 length = 1789>
<Converting principal: OU=Class 4 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
<Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust
Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri,
C=FI>
<Converting principal: OU=Class 1 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: [email protected], CN=Thawte
Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape
Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: OU=Class 3 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<Converting principal: [email protected], CN=Thawte
Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western
Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Premium
Server CA, OU=Certification Services Division, O=Thawte Consultingcc,
L=Cape
Town, ST=Western Cape, C=ZA>
<Converting principal: OU=Secure Server Certification Authority, O="RSA
Data Security,
Inc.", C=US>
<Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust,O=Baltimore,
C=IE>
<Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrustSolutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri,
C=FI>
<Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE>
<Converting principal: OU=Class 2 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<write HANDSHAKE offset = 0 length = 2409>
<write HANDSHAKE offset = 0 length = 4>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL3/TLS MAC>
<21647856 received HANDSHAKE>
<HANDSHAKEMESSAGE: Certificate>
PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14'
for queue:
'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest
failed
java.lang.NullPointerException: Could not set value for ASN.1 string
object..
java.lang.NullPointerException: Could not set value for ASN.1 string
object.
 at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
 at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeString(UnknownSource)
 at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
 at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
 at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
 at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
 at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
 at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
 at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
 at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
 at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
 at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
 at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown
Source)
 at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown
Source)
 at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown
Source)
 at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
 at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
 at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
 at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source)
 at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
 at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
 at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
tvrGCMOrvrb5QTxVtLNr
-----END CERTIFICATE-----

Immediate help required with this job scheduling scenario

I have a job that needs to run a procedure hourly but not between 6:00 AM to 8:00 AM and 6:00 PM to 8:00 PM.
Can anyone help me with how to schedule this job.

If you use a window the job would only execute if the window opens. If for some reason the window did not open then the job would not execute.
Windows should be used to specify which resource plan should be active for the time interval.
In this case you are better off using FREQ=DAILY; BYHOUR=; and specify the hours.

Help required with Select statment..... ASAP pls

HI All,
Let me desc my table first .
01                             NOT NULL VARCHAR2(5)
02                             NOT NULL VARCHAR2(5)
03                             NOT NULL VARCHAR2(5)
04                             NOT NULL VARCHAR2(5)
31                                                    This is how table has been created(Note:not by me)
select name from od_shift where year=2011 and month='Feb' and "02"='W"{code}-->no doubt this is working fine
My problem is ...here rather putting the number directly ("01","02","03"....."31")
I need to take it from the first two digits of date('01-feb-2011')
like {code}
select name from od_shift where year=2011 and month='Feb' and to_char(to_date('01-feb-2011','dd-mon-yyyy'),'dd')='W" but this is not working
kindly help me with this .
Edited by: Basva on Mar 8, 2011 4:53 AM

Pleiadian wrote:
You could do a case statement. It's not elegant, but it works
Edit: smon's solution is better if pl/sql is an optionI disagree, it's quite elegant given the cirumstances of that sick table. And it definitely beats a dynamic SQL solution.
@Basva - when will you realize that your table is no good, and needs to be normalized into a more traditional relational table?
Regards
Peter

Help required with an image

Hi all,
I wonder if someone can help me with the following issue.
If you see the attached image in the top left hand corner their is a square box which is a different shade to the rest of the header.
I need to rectify this and blend it in with the rest on the header colour; however, I do not know how to do this and would appreciate some assistance in doing this.
I'm a noobie to photoshop so any help is much appreciated.

It seems you've copied another portion of the texture to overlay something you didn't want seen...
As opposed to copy/paste of a rectangular region, this is almost a textbook use for Content Aware Fill, which should (assuming it works properly) match the pattern and blend the colors.
Try selecting just the blemish or whatever you're trying to cover, then expand the selection a few pixels, then Edit - Fill - Content Aware.
-Noel

Help required with User exit logic

Hi gurus,
Please help me with the logic I wrote for the user exit for a PP Work Center View extract structure. Here is the details of the add on fields: VGW01, VGW02, VGW03, STEUS(from table PLPO); DataSource: 2LIS_04_P_ARBPL,
data: l_s_pp1 like MC04P_0ARB(extract structure of 2LIS_04_P_ARBPL),
l_tabix like sy-tabix,
lv_VGW01 like PLPO-VGW01.
lv_VGW02 like PLPO-VGW02.
lv_VGW03 like PLPO-VGW03.
lv_STEUS like PLPO-STEUS.
tables : PLPO.
case i_datasource.
when '2LIS_04_P_ARBPL'.
loop at c_t_data into l_s_pp1.
select single vgw01into lv_vgw01
from PLPO
where field = l_s_pp1-field.
if sy-subrc = 0.
l_s_pp-zzvgw01 = lv_vgw01.
l_s_pp-zzvgw02 = lv_vgw02.
l_s_pp-zzvgw03 = lv_vgw03.
l_s_pp-zzsteus = lv_steus.
endif.
modify c_t_data from l_s_pp1 index l_tabix.
endloop.
Any additional comments welcome. Thanks in advance.

Hi,
Try coding as per the below code
case i_datasource.
When '2LIS_04_P_ARBPL'.
DATA: lt_data TYPE TABLE OF MC04P_0ARB.
FIELD-SYMBOLS: <ls_data> TYPE MC04P_0ARB.
Internal table for
TYPES:
 BEGIN OF ty_tbl1,
 lv_VGW01 TYPE PLPO-VGW01,
 lv_VGW02 TYPE PLPO-VGW02,
 lv_VGW03 TYPE PLPO-VGW03,
 l_bmsch TYPE XXXX-XXXX,
 l_plnnr TYPE XXXX-XXXX
 l_datuv TYPE XXXX-XXXX
 l_aennr TYPE XXXX-XXXX
 l_plnkn TYPE XXXX-XXXX
 l_plnal TYPE XXXX-XXXX
 END OF ty_tbl1.
DATA:
 lt_tb1 type standard table of ty_tbq,
 ls_tb1 type ty_tb1.
lt_data[] = c_t_data[].
Read data into internal memory using jOins
select aVGW01 aVGW02 aVGW02 aVGW02 bbmsch bplnnr bdatuv baennr bplnkn bplnal into into CORRESPONDING FIELDS OF TABLE
lt_tb1 from PLPO as a innerjoin XXXX as b where aXXXX=bXXXX.
use the internal table to get the data to the enhaced fileds
LOOP AT lt_data ASSIGNING <ls_data>.
 read table lt_tb1 into ls_tb1
 with key XXXXX = <ls_data>-XXXX .
 if sy-subrc eq 0.
 <ls_data>-lV_VGW01 = ls_tb1-lv_VGW01,
 <ls_data>-lV_VGW02 = ls_tb1-lv_VGW02,
 <ls_data>-lV_VGW03 = ls_tb1-lv_VGW03,
 <ls_data>-bmsch = ls_tb1-bmsch,
 <ls_data>-plnnr = ls_tb1-plnnr,
 <ls_data>-datuv = ls_tb1-datuv,
 <ls_data>-aennr = ls_tb1-aennr,
 <ls_data>-plnkn = ls_tb1-plnkn,
 <ls_data>-pln1l = ls_tb1-plnal.
 MODIFY lt_data FROM <ls_data>.
 endif.
ENDLOOP.
REFRESH c_t_data.
c_t_data[] = lt_data[].
Note that the code is not written with the exact fields. Change the fields where necessary(also i have joined only 2 tables if needs to be joind form more than 2 table change the join statement accordingly).
Thanks,
Nagarjuna
Edited by: Nagarjuna Reddy on Oct 20, 2011 3:39 AM

Client Certificate Authentication

Hi guys
I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
any help would be truly appreciated
Jesus

If IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
Users could go to the website of the issuing certificate authorities and make a request.
I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
I'll look further though (interested in this myself).
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Help required with ADFS 3.0 client certificate authentication

Similar Messages

Maybe you are looking for