Help  - SPENGO - Microsoft SSO with WLS 9.2

Similar Messages

• Need help on SAP SSO with SAML & SSO2

  Dear expert,
  We met an SSO issue on launchpad.
  Here is our scenario and SSO structure. We use fiori launchpad to display all SAP apps.
  1. When  an user visit launchpad URL, URL will redirect user to identity provider (IDP) for SAML authentication.
  2. Then IDP authenticate with SAML2.0 token back to gateway.
  3. Gateway accept the SAML2.0 token and issue SSO2 logon ticket.
  4. Use logon ticket to backend ABAP ERP system for transaction apps.
  5. Use logon ticket to HANA system for factsheet.
  Now the first step above is OK as SAML token can be authenticated back to gateway. But after that, the basic form authentication pop-up for user credential on both backend system and HANA, which should not. We found out that launchpad was stucked with error message "/sap/es/ina/GetServerInfo HTTP/1.1 401 Unauthorized" at ERP backend service "GetServerInfo". By checking the cookies, we found out that after SAML token accepted by gateway, gateway did not issue any MYSAPSSO2 ticket.
  However, when we disabled SAML and use form authentication for launchpad, SSO2 logon ticket works perfectly among GW, ERP and HANA.  So, there should be no issue configuration regarding SSO2 logon ticket in SAP GUI.
  here is the system information:
  GW: NW740 SP5
  ERP: ECC6 on NW740 SP5
  HANA: v70
  Please kindly help us out on this issue. Please ask if other information is needed. thanks.
  Best regards,
  Xian' an

  This discussion thread belongs to the SAP Gateway space. For generic SSO related queries where portal is not involved the correct space is SAP NetWeaver Application Server. This space is for NetWeaver Single Sign-On (NWSSO, the separately purchasable product) topics only.

• Help accessing Microsoft Hotmail with firefox 4.01

  I can't access the windows live login using Firefox 4.01
  In fact, errors appear to be generated (far too many to list here)
  Please, can I use and login to Microsoft Hotmail
  and Windows Live Login again (!!)

  Hotmail is rolling out a server change at their end which might be causing this problem. Mozilla has spoken to them about it and they are trying to fix it. I won't be able to provide you a time estimate by when it will be solved but hotmail/mozilla is certainly looking at this issue.
  I will let you know if get any updates!

• When i use the apple tv it puts my computer to sleep.  the last time this happened i lost microsoft word with all the documents.  i'm asked to relaunch, but that step fails.  i'm frantic! can anyone help me see my documents again?

  when i use the apple tv it puts my computer to sleep.  the last time this happened i lost microsoft word with all the documents.  i'm asked to relaunch, but that step fails.  i'm frantic!  can anyone help me see my documents again? this also prevents me from reading attachments in my mail, since they are frequently launched in word.

  There's a whole lot to read in your post, and frankly I have not read it all.
  Having said that, this troubleshooting guide should help:
  http://support.apple.com/kb/TS1538
  In particular, pay attention to the mobile device support sections near the bottom, assuming you have already done the items above it.

• I need help integrating Microsoft Office, Outlook and Calendar with my job and is it possible

  Ok guys I am new to the iphone 4s. I just dumped my Blackberry after 10 years. I need help integrating Microsoft Office, Outlook and Calendar with my job and is it possible? Also I need it to automatically push email and appointments to my phone? I will buy any app just need to know which is best for work environment. Here is what I am thinking about doing. http://www.groovypost.com/howto/apple/sync-iphone-or-ipod-touch-calendar-and-con tacts-with-google/ Is this the best way? For personal use I am using paid G whiz app

  I use Google Calendar Sync to sync my work Outlook calendar to a gmail account, then sync that to my iPhone.  It works well for me for the past couple of years.
  As far as mail itself, just ask your it folks for settings for remote access to your exchange account, and then set it up on the phone.
  As far as working with Office docs, to be able to actually edit them and such, look in the app store for DocsToGo or QuickOffice - they both are good but each has it's pros and cons, so on balance it's down to mere preference i think.

• Inet opta2000 XDatasource with WLS 6.0 sp1, please help

            Hi,
            I am using I-net Opta 2000 v2.05 JDBC XADriver with WLS 6.0 sp1.
            I create a connection pool using com.inet.tds. XDatasouce. In
            WLS startup script, I put in -Dweblogic.Debug=weblogic.JTAJDBC
            debug switch. The output reports UnknownMethod datasourceName
            exception. I attached stack trace at the end. I didn't create datasourceName.
            the next thing I want to do is:
            1) Create one CMP entity bean name cmpBean_1 using XA Pool one
            connects with MS SQL Database DB1.
            2) Create second CMP entity bean name cmpBean_2 using XA Pool
            two connects with MS SQL Database DB2.
            3) In a sessionless bean, I will do
            ut = ctx.getUserTransaction();
            ut.begin();
            cmpBean_1.doSomething();
            cmpBean_2.doSomething();
            ut.commit();
            Could I do like this?
            Thanks in advance.
            Rock
            config.xml
            <JDBCConnectionPool DriverName="com.inet.tds.XDataSource"
            Name="rock_development_tx"
            properties="user=app;password=lication" Targets="Moon"
            URL="jdbc:inetdae7:rock_development@localhost"/>
            <JDBCTxDataSource EnableTwoPhaseCommit="true"
            JNDIName="jdbc/Tx4Rock" Name="Tx_DataSource_4_Rock"
            PoolName="rock_development_tx" Targets="Moon"/>
            debug outputs:
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - XADataSource props:{user=app, password=lication, dataSourceName=rock_development_tx}>
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - Property 'user' set>
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - Property 'password' set>
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - < Cannot set property 'dataSourceName'
            java.lang.NoSuchMethodException
            at java.lang.Class.getMethod0(Native Method)
            at java.lang.Class.getMethod(Class.java:888)
            at weblogic.jdbc.common.internal.DataSourceUtil.initProp(DataSourceUtil.java:48)
            at weblogic.jdbc.common.internal.DataSourceUtil.initProps(DataSourceUtil.java:19)
            at weblogic.jdbc.common.internal.XAConnectionEnvFactory.getXADataSrc(XAConnectionE
            nvFactory.java:124)
            at weblogic.jdbc.common.internal.XAConnectionEnvFactory.<init>(XAConnectionEnvFact
            ory.java:35)
            at weblogic.jdbc.common.internal.ConnectionPool.getResourceFactory(ConnectionPool.
            java:353)
            at weblogic.jdbc.common.internal.ConnectionPool.startup(ConnectionPool.java:301)
            at weblogic.jdbc.common.JDBCService.addDeployment(JDBCService.java:91)
            at weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentTarg
            et.java:283)
            at weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(DeploymentTar
            get.java:233)
            at weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(Depl
            oymentTarget.java:194)
            at weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deployment
            Target.java:158)
            at java.lang.reflect.Method.invoke(Native Method)
            at weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl.ja
            va:559)
            at weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:545)
            at weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBeanIm
            pl.java:285)
            at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
            at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
            at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:431)
            at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:172)
            at $Proxy29.updateDeployments(Unknown Source)
            

            Hi,
            I am using I-net Opta 2000 v2.05 JDBC XADriver with WLS 6.0 sp1.
            I create a connection pool using com.inet.tds. XDatasouce. In
            WLS startup script, I put in -Dweblogic.Debug=weblogic.JTAJDBC
            debug switch. The output reports UnknownMethod datasourceName
            exception. I attached stack trace at the end. I didn't create datasourceName.
            the next thing I want to do is:
            1) Create one CMP entity bean name cmpBean_1 using XA Pool one
            connects with MS SQL Database DB1.
            2) Create second CMP entity bean name cmpBean_2 using XA Pool
            two connects with MS SQL Database DB2.
            3) In a sessionless bean, I will do
            ut = ctx.getUserTransaction();
            ut.begin();
            cmpBean_1.doSomething();
            cmpBean_2.doSomething();
            ut.commit();
            Could I do like this?
            Thanks in advance.
            Rock
            config.xml
            <JDBCConnectionPool DriverName="com.inet.tds.XDataSource"
            Name="rock_development_tx"
            properties="user=app;password=lication" Targets="Moon"
            URL="jdbc:inetdae7:rock_development@localhost"/>
            <JDBCTxDataSource EnableTwoPhaseCommit="true"
            JNDIName="jdbc/Tx4Rock" Name="Tx_DataSource_4_Rock"
            PoolName="rock_development_tx" Targets="Moon"/>
            debug outputs:
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - XADataSource props:{user=app, password=lication, dataSourceName=rock_development_tx}>
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - Property 'user' set>
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - Property 'password' set>
            <Mar 15, 2001 10:57:14 PM PST> <Debug> <JDBC XA> <main -tx:null-
            -pool:rock_development_tx
            - < Cannot set property 'dataSourceName'
            java.lang.NoSuchMethodException
            at java.lang.Class.getMethod0(Native Method)
            at java.lang.Class.getMethod(Class.java:888)
            at weblogic.jdbc.common.internal.DataSourceUtil.initProp(DataSourceUtil.java:48)
            at weblogic.jdbc.common.internal.DataSourceUtil.initProps(DataSourceUtil.java:19)
            at weblogic.jdbc.common.internal.XAConnectionEnvFactory.getXADataSrc(XAConnectionE
            nvFactory.java:124)
            at weblogic.jdbc.common.internal.XAConnectionEnvFactory.<init>(XAConnectionEnvFact
            ory.java:35)
            at weblogic.jdbc.common.internal.ConnectionPool.getResourceFactory(ConnectionPool.
            java:353)
            at weblogic.jdbc.common.internal.ConnectionPool.startup(ConnectionPool.java:301)
            at weblogic.jdbc.common.JDBCService.addDeployment(JDBCService.java:91)
            at weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentTarg
            et.java:283)
            at weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(DeploymentTar
            get.java:233)
            at weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(Depl
            oymentTarget.java:194)
            at weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deployment
            Target.java:158)
            at java.lang.reflect.Method.invoke(Native Method)
            at weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl.ja
            va:559)
            at weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:545)
            at weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBeanIm
            pl.java:285)
            at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
            at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
            at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:431)
            at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:172)
            at $Proxy29.updateDeployments(Unknown Source)
            

• Oracle wallet(oraclepki.jar) is not working with WLS 10.3.1

  An external application is storing a password in oracle wallet i.e cwallet.sso and ewallet.p12 files using OracleWallet technology (oraclepki.jar).
  I have an web application which uses this password stored in the wallet for internal use, this application works fine if we deploy it in OC4J, but if Install the same application in WLS 10.3.1 application is not able to get the password for wallet.
  Oracle wallet require only oraclepki.jar file and this jar file is bundled in the ear file.
  Can someone guide me so that we can use Oracle wallet with WLS.

  Hi
  For me no error is showing. But the whitespace is not getting removed. But this is working fine in Tomcat6.1.
  Any help is appreciated.
  regards
  jossy.

• SSO with EP 6.0 and R/3 as backened not working

  Hi , 
      I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
  I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
  What are the setting to be done in ITS for SSO towork. I have set the parameter
  msapcomusesso2cookie = 1 in the global.svrc file.
  I do not know what is wrong. Please help.
  Regards,
  Ramesh

  Hi,
    I am using a standalone ITS for a R/3 4.7 system.
  How should I maintain a FQDN for ITS?
  You are right,
  now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
  But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
  can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
  Regards,
  Ramesh

• SSO with SAP logon tickets to non-SAP web app

  I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
  Cindy

  Hi Cindy,
  If it is EP6 SP2 probably you can checkout the following document.
  http://service.sap.com/ep60
  Go to Documentation Help>How-To-Guides>Current How To Guides section.
  checkout the following how to guide.
  Perform Cross Domain SSO with SAP Logon tickets zip file.
  If you want the zip file please send an e-mail to
  [email protected]
  Regards
  -Venkat Malempati

• I am having a problem with pop pups and small windows with ads constantly opening up on my safari?? Thought that macs didn't get virus? this looks like one- any experts around? please help me fix it with your instructions? really don't know what to do...

  Hi everyone,
  I am having a problem with my Mac OS X 10.7.5 mac book air , there are constant pop pups and small windows with ads blinking constantly opening up on my safari in front of everything?? it is constantly interupting me and makes me mistakingly click on it then another new windows open behind the one im using..
  I am not too sure if thats a virus or trojan.. I always thought that macs didn't get virus? this looks like one to me… any experts around? please help me fix it with your instructions? really don't know what to do... thanks

  Those are not viruses. You have probably installed some malware:
  The Safe Mac » Adware Removal Guide
  Helpful Links Regarding Malware Protection
  An excellent link to read is Tom Reed's Mac Malware Guide.
  Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
  See these Apple articles:
            Mac OS X Snow Leopard and malware detection
            OS X Lion- Protect your Mac from malware
            OS X Mountain Lion- Protect your Mac from malware
            About file quarantine in OS X
  If you require anti-virus protection Thomas Reed recommends using Dr.Web Light from the App Store. It's free, and since it's from the App Store, it won't destabilize the system. If you prefer one of the better known commercial products, then Thomas recommends using Sophos.(Thank you to Thomas Reed for these recommendations.) If you already use Sophos, then be aware of this if you are using Mavericks: OS X Mavericks- Sophos Anti-Virus on-access scanner versions 8.0 - 9.1 may cause unexpected restarts
  From user Joe Bailey comes this equally useful advice:
  The facts are:
  1. There is no anti-malware software that can detect 100% of the malware out there.
  2. There is no anti-malware that can detect anything targeting the Mac because there
       is no Mac malware in the wild, and therefore, no "signatures" to detect.
  3. The very best way to prevent the most attacks is for you as the user to be aware that
       the most successful malware attacks rely on very sophisticated social engineering
       techniques preying on human avarice, ****, and fear.
  4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on
      your computer is intended to entice you to install their malware thinking it is a
      protection against malware.
  5. Some of the anti-malware products on the market are worse than the malware
      from which they purport to protect you.
  6. Be cautious where you go on the internet.
  7. Only download anything from sites you know are safe.
  8. Avoid links you receive in email, always be suspicious even if you get something
      you think is from a friend, but you were not expecting.
  9. If there is any question in your mind, then assume it is malware.

• Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)

  Fresh installation of Exchange Server 2013 on Windows Server 2012.
  Our first test account cannot access their email via Outlook but can access fine through OWA. The following message appears - "Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize
  your folders with your Outlook data file (.ost)" is displayed.
  If I turn off cached Exchange mode, setting the email account to not
  cache does not resolve the issue and i get a new error message - "Cannot open your default e-mail folders. The file (path\profile name).ost is not an Outlook data file (.ost). Very odd since it creates its own .ost file when you run it for the first
  time.
  I cleared the appdata local Outlook folder and I tested on a new laptop that has never connected to Outlook, same error message on any system.
  Microsoft Exchange RPC Client Access service is running.
  No warning, error or critical messages in the eventlog, it's like the healthiest server alive.
  Any help would be greatly appreciated. I haven't encountered this issue with previous versions of Exchange.

  So it looks like a lot of people are having this issue and seeing how Exchange 2013 is still new (relatively to the world) there isn't much data around to answer this. I've spend ALOT of time trying to figure this out.
  Here is the answer. :) - No I don't know all but I'm going to try to give you the most reasonable answer to this issue, in a most logical way.
  First thing I did when I was troubleshooting this issue is that I ignored Martina Miskovic's suggestion for Step4 http://technet.microsoft.com/library/jj218640(EXCHG.150)because it didn't make sense to me because I was trying to connect
  Outlook not outside the LAN but actually inside. However, Martina's suggestion does fix the issue if it's applied in the correct context.
  This is where the plot thickens (it's stew). She failed to mention that things like SSL (which I configure practically useless - anyone who ever worked in a business environment where the owner pretty much trusts anyone in the company, otherwise they don't
  work there - very good business practice in my eyes btw, can confirm that...) are some sort of fetish with Microsoft lately. Exchange 2013 was no exception.
  In exchange 2003, exchange 2007 and exchange 2010 - you could install it and then go to outlook and set it up. And when outlook manual Microsoft Exchange profile would ask you for server name, you would give it and give the name of the person who you setting
  up - as long as machine is on the domain, not much more is needed. IT JUST WORKS! :) What a concept, if the person already on premises of the business - GIVE HIM ACCESS. I guess that was too logical for Microsoft. Now if you're off premises you can use things
  like OutlookAnywhere - which I might add had their place under that scenario.
  In Exchange 2013, the world changed. Ofcourse Microsoft doesn't feel like telling it in a plain english to people - I'm sure there is an article somewhere but I didn't find it. Exchange 2013 does not support direct configuration of Outlook like all of it's
  previous versions. Did you jaw drop? Mine did when I realized it. So now when you are asked for your server name in manual outlook set up and you give it Exchange2013.yourdomain.local - it says cannot connect to it. This happens because ALL - INTERNAL AND
  EXTERNAL connection are now handled via OutlookAnywhere. You can't even disable that feature and have it function the reasonable way.
  So now the question still remains - how do you configure outlook. Well under server properties there is this nice section called Outlook anywhere. You have a chance to configure it's External and Internal address. This is another thing that should be logical
  but it didn't work that way for me. When I configured the external address different from the internal - it didn't work. So I strongly suggest you get it working with the same internal address first and then ponder how you want to make it work for the outside
  users.
  Now that you have this set up you have to go to virtual directories and configure the external and internal address there - this is actually what the Step 4 that Martina was refering to has you do.
  Both external and internal address are now the same and you think you can configure your outlook manually - think again. One of the most lovely features of Outlook Anywhere, and the reason why I had never used it in the past is that it requires a TRUSTED
  certificate.
  See so it's not that exchange 2013 requires a trusted certificate - it's that exchange 2013 lacks the feature that was there since Windows 2000 and Exchange 5.5.
  So it's time for you to install an Active Direction Certificate Authority. Refer to this wonderful article for exact steps - http://careexchange.in/how-to-install-certificate-authority-on-windows-server-2012/
  Now even after you do that - it won't work because you have to add the base private key certificate, which you can download now from your internal certsrv site, to Default Domain Policy (AND yes some people claim NEVER mess with the Default Domain Policy,
  always make an addition one... it's up to you - I don't see direct harm if you know what you want to accomplish) see this: http://technet.microsoft.com/en-us/library/cc738131%28v=ws.10%29.aspx if you want to know exact steps.
  This is the moment of ZEN! :) Do you feel the excitement? After all it is your first time. Before we get too excited lets first request and then install the certificate to actual Exchange via the gui and assign it to all the services you can (IIS, SMTP and
  there is a 3rd - I forgot, but you get the idea).
  Now go to your client machine where you have the outlook open, browse to your exchange server via https://exchang2013/ in IE and if you don't get any certificate errors - it's good. If you do run on hte client and the server: gpupdate /force This will refresh
  the policy. Don't try to manually install the certificate from Exchange's website on the client. If you wanna do something manually to it to the base certificate from the private key but if you added it to the domain policy you shouldn't have to do it.
  Basically the idea is to make sure you have CA and that CA allows you to browse to exchange and you get no cert error and you can look at the cert and see that's from a domain CA.
  NOW, you can configure your outlook. EASY grasshoppa - not the manual way. WHY? Cause the automatic way will now work. :) Let it discover that exachange and populate it all - and tell you I'm happy! :)
  Open Outlook - BOOM! It works... Was it as good for you as it was for me?
  You may ask, why can't I just configure it by manual - you CAN. It's just a nightmare. Go ahead and open the settings of the account that got auto configed... How do you like that server name? It should read something like [email protected]
  and if you go to advanced and then connection tab - you'll see Outlook Anywhere is checked as well. Look at the settings - there is the name of the server, FQDN I might add. It's there in 2 places and one has that Mtdd-something:Exchange2013.yourdomain.local.
  So what is that GUID in the server name and where does it come from. It's the identity of the user's mailbox so for every user that setting will be different but you can figure it out via the console on the Exchange server itself - if you wish.
  Also a note, if your SSL certs have any trouble - it will just act like outlook can't connect to the exchange server even though it just declines the connection cause the cert/cert authority is not trusted.
  So in short Outlook Anywhere is EVERYWHERE! And it has barely any gui or config and you just supposed to magically know that kind of generic error messages mean what... Server names are now GUIDs of the [email protected] - THAT MAKES PERFECT
  SENSE MICROSOFT! ...and you have to manage certs... and the only place where you gonna find the name of the server is inside the d*** Outlook Anywhere settings in the config tab, un it's own config button - CAN WE PUT THE CONFIG ANY FURTHER!
  Frustrating beyond reason - that should be Exchange's new slogan...
  Hope this will help people in the future and won't get delete because it's bad PR for Microsoft.
  PS
  ALSO if you want to pick a fight with me about how SSL is more secure... I don't wanna hear it - go somewhere else...

• Weblogic SSO with AD - My Try - What's wrong?

  Dear All
  I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).
  I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.
  I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.
  Anyone has simliar experiance or any clue?
  Appreciated
  TIA
  Cheers
  Here is the setup:
  The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
  The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.
  These are the steps I came through based on documentation I could found on the net:
  h1. 0. Configuring Your Network Domain to Use Kerberos
  In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:
  */etc/krb5.conf*
  \[logging\]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  \[libdefaults\]
  default_realm = EXAMPLE.COM
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des_cbc_crc
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime =28800
  forwardable = yes
  \[realms\]
  EXAMPLE.COM = {
  kdc = 192.168.1.193:88
  admin_server = dc
  default_domain = EXAMPLE.COM
  \[domain_realm\]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
  \[kdc\]
  profile = /var/kerberos/krb5kdc/kdc.conf
  \[appdefaults\]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  pkinit = {
  allow_pkinit = false
  h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
  weblogic (for weblogic service) (with password = "password1")
  weblogicusr (the user which should access Weblogic Administration Console) ("password2")
  * Note that group membership of these two users are left default.(Domain Users)
  h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
  - Use DES encryption types for this account (ticked)
  - Do not require Kerberos preauthentication (cleared)
  * then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").
  h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
  - >setspn -a host/weblogic.example.com weblogic
  - >setspn -a HTTP/weblogic.example.com weblogic
  here is the result
  C:\Documents and Settings\Administrator.DC>setspn -L weblogic
  Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:
  HTTP/weblogic
  host/weblogic
  HTTP/weblogic.example.com
  host/weblogic.example.com
  and
  - >setspn -a HTTP/weblogic.example.com weblogicusr
  and the result
  C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
  Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:
  HTTP/weblogicsrv.example.com
  HTTP/weblogicsrv
  h1. 4. Create the keytab file for Weblogic Server:
  On AD machine issue:
  (ktpass from MS Windows Support Tools)
  >ktpass -princ host/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
  >ktpass -princ HTTP/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab
  (ktab from JRE 6)
  >ktab -k c:\temp\weblogic.keytab -a [email protected]
  Password for [email protected]:*password1*
  Done!
  Service key for [email protected] is saved in c:\temp\weblogic.keytab
  ** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
  >\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab [email protected]
  >kinit(v5): Key table entry not found while getting initial credentials
  h1. 5. Port and Merge keytabs
  Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
  and merged into one keytab:
  ktutil: "rkt weblogic.host.keytab"
  ktutil: "rkt weblogic.HTTP.keytab"
  ktutil: "rkt weblogic.keytab"
  ktutil: "wkt weblogic-keytab"
  ktutil: "q"
  * then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
  >/root/bea/user_projects/domains/base_domain/kerberos
  h2. 5.1 Test the keytab and kerberos configuration
  >\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab [email protected]
  >\[root@weblogic keytabs\]# klist
  >Ticket cache: FILE:/tmp/krb5cc_0
  >Default principal: [email protected]
  >
  >Valid starting Expires Service principal
  >09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/[email protected]
  >
  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached
  h1. 6. Creating a JAAS Login File
  Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"
  krb5Login.conf
  com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal=*"[email protected]"* useKeyTab=true
  keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
  com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal=*"[email protected]"* useKeyTab=true
  keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
  h1. 7. Modify startup options
  add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
  h2. 7.1 Kerberos
  -Djava.security.krb5.realm=EXAMPLE.COM
  -Djava.security.krb5.kdc=dc.example.com
  -zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Dweblogic.security.enableNegotiate=true h2. 7.2 Debug
  -DDebugSecurityAdjudicator=true
  -Dweblogic.debug.DebugSecurityAtn=true
  -Dsun.security.krb5.debug=true
  -Dweblogic.StdoutDebugEnabled=true";
  -Dweblogic.log.StdoutSeverity=Debugh1. 8. Configuring the Identity Assertion Provider
  In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
  Again in Administation Console did this to example.com Security Realm:
  h2. 8.1 -> Prividers: Add 3 Providers
  Negotiate     WebLogic Negotiate Identity Assertion provider     1.0
       DIA     WebLogic Identity Assertion provider     1.0
       AD     Provider that performs LDAP authentication     1.0 (Active Directory provider)
       Default     WebLogic Authentication Provider     1.0
  h2. 8.2 -> Change the default parameters
  h3. 8.2.1 Negotiate     WebLogic Negotiate Identity Assertion provider
  -> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
  -> Form Based Negotiation Enabled: Removed the tick
  h3. 8.2.2 DIA     WebLogic Identity Assertion provider (no changes)
  (no changes)
  h3. 8.2.3 AD     Provider that performs LDAP authentication (Active Directory provider)
  -> Control Flag: *SUFFICIENT*
  -> User Name Attribute: *sAMAccountName*
  -> Principal: *HTTP/[email protected]*
  -> Host: *192.168.1.193*
  -> User Base DN: *CN=Users,DC=example,dc=com*
  -> Propagate Cause For Login Exception: *ticked*
  -> Group Base DN: *CN=Users,DC=example,dc=com*
  -> Credential: *password1*
  * others left with their default values.
  h1. 9. Configuring an Internet Explorer Browser
  On Windows XP machine (winclient.example.com):
  h2. 9.1 Configure Local Intranet Domains
  - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
  > "Include all sites that bypass the proxy server" *ticked*
  > "Include all local (intranet) sites not listed in other zones" *ticked*
  - then in -> Advanced Dialog Box added this:
  > weblogic.example.com
  h2. 9.2 Configure Intranet Authentication
  - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
  > In the Security Settings dialog box -> the User Authentication section.
  > "Automatic logon only in Intranet zone" *ticked*
  h2. 9.3 The Proxy Settings
  No proxies are enabled
  h2. 9.4 Enable Integrated Windows Authentication
  - In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
  > "Enable Integrated Windows Authentication" *ticked* by default
  Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM

  I found something in Logfile:
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
  ction is false>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
  ""}>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
  80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>
  According to this post: Re: WL10.3 and SSO and Active Directory
  a correct ldap connection should look like this:
  <LDAP Atn Login username: Administrator>
  <userExists? user:Administrator>
  <new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
  <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
  <connection succeeded>
  *<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/[email protected]"}>
  <getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*
  Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!
  Event Type:     Information
  Event Source:     NTDS LDAP
  Event Category:     LDAP Interface
  Event ID:     1535
  Date:          9/4/2009
  Time:          6:47:07 PM
  User:          NT AUTHORITY\*ANONYMOUS LOGON*
  Computer:     DC
  Description:
  Internal event: The LDAP server returned an error.
  Additional Data
  Error value:
  80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
  Any help would be greatly appreciated

• Enabling SSO with Weblogic Server

  Hi,
  Can someone please forward some documention on enabling SSO with Weblogic server for different applications using the admin console.
  Is enabling SSO only possible programmatically??
  Is there an external server amongst the Weblogic Platform that maintains this SSO information??
  Regards,
  Mukta

  Pradeep,
  Here are some questions for you.
  1. what version of Weblogic App Server you are using?
  2. Is it a weblogic Portal or a Java application deployed
     on a Weblogic App Server?
  3. You have mentioned that the users are stored in a table. Is it a database table ?
  Anyway see the following link as a starting point?
  http://e-docs.bea.com/wls/docs81/jconnector/security.html#1216783
  If the customer has lot of other web applications that they want to integrate you can look at third party authentication solutions (Ex: Siteminder). But if it is a few or limited applications then custom solution would be more appropriate from the cost perspective.
  Hope this can be a starting point.
  -Regards
  -Venkat Malempati

• Using updated tools with WLS 8.1 SP3

  I'm attempting to take advantage of some ant 1.6 features. However, it appears that the ant XML parsers are getting in the way of the embedded WLS xml parsers:
  [servicegen] java.lang.ClassCastException
  [servicegen] at weblogic.apache.xerces.parsers.SAXParser.<init>(SAXParser.java:140)
  [servicegen] at weblogic.apache.xerces.parsers.SAXParser.<init>(SAXParser.java:125)
  [servicegen] at weblogic.apache.xerces.jaxp.SAXParserImpl.<init>(SAXParserImpl.java:102)
  [servicegen] at weblogic.apache.xerces.jaxp.SAXParserFactoryImpl.newSAXParserImpl(SAXParserFactoryImpl.java:112)
  [servicegen] at weblogic.apache.xerces.jaxp.SAXParserFactoryImpl.setFeature(SAXParserFactoryImpl.java:140)
  [servicegen] at weblogic.xml.jaxp.WebLogicSAXParserFactory.setFeature(WebLogicSAXParserFactory.java:56)
  [servicegen] weblogic.utils.AssertionError: ***** ASSERTION FAILED *****[ Cannot invoke boolean constructor of processor ] - with nested exception:
  [servicegen] [java.lang.reflect.InvocationTargetException - with target exception:
  [servicegen] [weblogic.utils.AssertionError: ***** ASSERTION FAILED ***** - with nested exception:
  [servicegen] [java.lang.ClassCastException]]]
  Based on some research this appears to be an issue with WLS getting a parser that it cannot handle. Given that the version of ant included with 8.1sp3 is pretty old, is there a way to use newer versions? I'm giving up for now on macrodef's but would, as a general statement, like to keep up with new tools as they become available. I'd like to not be dependent on turning a battleship to incorporate 15 months of development work (the time between now and the release of ant 1.5.3 as included with 8.1sp3).
  Thanks for any information.

  Had some problems like this before. Even thought I cannot offer specific advice as to how to fix this. If you do this, it could help.
  Encountered a problem in eclipse while using WLS servicegen ANT task and, of course, the optional FTP task. I am using Eclipse Version: 3.0.0 Build id: 200406192000. With this comes ANT 1.6.1 standard. In order to get servicegen ANT task working I had to include the weblogic.jar in the ANT Classpath. Ofcourse this had another side effect, the FTP task that used to work earlier quit working. I still havent figured out the root cause of the problem but inorder to get around I did the following. To fix this, I added a new Task called FTP, I picked the c:\....\lib\ant-commons-net.jar in the location. The name I retained it as ftp. In the left page, I nagivated down to the lead of the tree [root]/->org->apache->...->net and in the right pane, I chose FTP. After this step when I ran I ran into an odd error Buildfile: C:\Work\JSSE-EJB.xml BUILD FAILED: java.lang.NoClassDefFoundError: com/oroinc/net/ftp/FTP Total time: 78 milliseconds I was under the impression that this is a legacy component and that the new version of the net component has org.apache....FTP structure. I am really not sure where, but to fix the issue, I had to get the NetComponents.jar from http://www.savarese.org/downloads/NetComponents/ and included it in the classpath. After this step, presto, servicegen task works fine with FTP task. However, I cannot imagine doing this for all the optional tasks. But for now there is a winding work around.

• Need help configuring Attribute Change in WLS 6.1

  Hi there,
  I did all it said in the documentation, lacking any sight of an SNMP
  trap. I want to receive a SNMP trap if the
  InvalidLoginAttemptsTotalCount changes (MBean: ServerSecurityRuntime).
  I use
  Attribute MBean Type: ServerSecurityRuntime
  Attribute MBean Name:
  petstore:Location=petstoreServer,Name=petstoreServer,Type=ServerSecurityRuntime
  Attribute Name: InvalidLoginAttemptsTotalCount
  I enabled SNMP, configure my TrapHost and started my trapdaemon. But I
  don't get any trap even though I increased the counter by doing some
  logins with the wrong password. Parallel to my attribute change I also
  configured a counter monitor on the same attribute, with the same
  disappointing result =:-(
  Can anyone help ?
  Greetings,
  Alex

  You need to set a target for the pool. Without target
  pool service won't start. Also you need to provide
  initial and maximum size for the pool.
  Regards,
  Slava Imeshev
  "Nadeem" <[email protected]> wrote in message
  news:3d6d9268$[email protected]..
  >
  Hi Slava, thanks for the reply. Here is the connection pool definition asextracted
  from config.xml. Do you see any errors in this which would cause theexception
  mentioned below?
  -Nadeem
  ************* Connection Pool element in config.xml ********
  <JDBCConnectionPool DriverName="oracle.jdbc.driver.OracleDriver"
  Name="MyJDBC Connection Pool"
  Properties="user=system;password=manager" TestTableName="cabin"URL="192.168.0.11:1521:tacit"/>
  "Slava Imeshev" <[email protected]> wrote:
  Hi Nadeem,
  Could you show us the connection pool definition?
  It can be extracted from config.xml
  Regards,
  Slava Imeshev
  "Nadeem" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  I need to create a connection pool in WLS 7. Here are the specificsof my
  environment:
  1. RDBMS: Oracle 8i
  2. Driver I want to use: Oracle thin 8.17 (provided with WLS 7)
  3. IP address of machine on which database resides: 192.168.0.5
  4. Port number: 1521
  5. Name of database: MyDB
  6. user: scott
  7. password: tiger
  Given the above,I do not know exactly what to fill out in the
  following
  fields
  that appear in the Admin Console's connection pool creation form:
  1. Name of connection pool (OK, this one I know!)
  2. URL string (exactly what should it be, given above info?)
  3. Driver Classname (I want to use Oracle thin 8.17, so what shouldI fill
  here?)
  4. Properties (exactly what should I fill here, given above info?)
  5. ACL Name (completely stumped here! Documentation says ACLs havebeen
  replaced
  by policies in WLS 7 - so what to fill here?)
  Could someone please help me correctly fill out these fields usingthe
  information
  I provided in the first paragraph.
  BTW, I'm logged into WLS as Administrator.
  Much obliged,
  Nadeem