Hot to retrieve an authenticated user for JCA in a repository service?

Similar Messages

• How to use an authenticated user for a proxy call

  Dear all,
  I am currently working on a JEE application where the user needs to authenticate (for this I have configured the web.xml).
  Now inside this application I need to do a proxy call to a PI webservice.
  I would like to use the user credentials of the already logged in user in order to call the proxy.
  What I don't want to do is to use a service user for the proxy call.
  The code I am trying to call looks something like this:
       private IntegratedConfigurationIn getPort() throws Exception{
            IntegratedConfigurationIn port = null;
            try {
                 IntegratedConfigurationInService service = null;
                 service = new IntegratedConfigurationInService();
                 port = (IntegratedConfigurationIn) service.getIntegratedConfigurationIn_Port();
                BindingProvider bp = (BindingProvider)port;
                bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);
                bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);
                if (url.length() != 0)
                     bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);
            catch (Exception ex){
                 ex.printStackTrace();
            return port;
  The examples I found to retrieve the userdata pointed to codes similar to this one:
  public HttpServletRequest getHttpRequest() throws Exception {
            // Get runtime context
            Properties props = new Properties();
            props.put("domain", "true");
            Context initialContext = new InitialContext(props);
            ApplicationWebServiceContext wsContext = (ApplicationWebServiceContext) initialContext
                      .lookup(" /wsContext/ApplicationWebServiceContext");
            HttpServletRequest req = wsContext.getHttpServletRequest();
            return req;
  com.sap.security.api.IUser sapUser = com.sap.security.api.UMFactory.getAuthenticator().getLoggedInUser(getHttpRequest(), null);
            IUser ep5User = com.sapportals.wcm.util.usermanagement.WPUMFactory.getUserFactory().getEP5User(sapUser);
  Now I don't know how to bring it togehter and how to use an authenticated user for the BindingProvider.
  I would appreciate any hints or ideas.

  Peter,
  from the first screenshot, what I understood is that, you are calling an inbound PI web service that is intended to create an integrated configuration object (this is used for whole lot of other reason completely) but not actually calling a development web service.
  For this, you would have to generate your client classes from the WSDL provided by the PI developer for that particular service. Once you get those client classes generated, you could used the method provided in the other screenshot to extract the user and password and call the intended web service.
  Vijay Konam

• Setup OID authenticated users for DB user globally identified users.

  I keep reading that you can setup Globally Identified users in Oracle database that
  are authenticated by OID. But it does not seem to work and I cannot find explicit
  directions for setting this up. I assume there must be some OID/SSO site
  configuration I am not aware of.
  We have an AS 10g app, a DB 9.2, and Forms 10g application. I created an OID
  user, Created a Globally Identified User in DB, but when I log into SSO, setup my
  RAD with password "doesnotmatter", then the database login comes up with
  invalid Username/Password.
  Whats not right?
  We have to use OID to get Case Sensitive Passwords and we can get it to login
  to a normal user account with a valid matching password. However, passwords
  must be expired every 30-90 days and the change in OID during login does not
  go through to the DB account. OID does care but I can't have DB accounts sitting
  around with passwords that never expire and OID can't change them. I'd rather
  have DB accounts that cannot be logged into.
  Any else sucessfully implemented OID and Globally Identified DB users or found a
  way to change DB Password after login/change password to OID?

  Have you configured enterprise user security for your database? If not, that would be the first step to take.
  The credentials stored in the RAD must match the SSO/OID user's credentials. There is no automatic way of doing that, so the user (or admin) has to set this up.
  So, the steps to follow are:
  1. Configure DB for EUS.
  2. Create OID user. Assuming you have mapped the shared schema to the users container, there is not need to create a DB user (for the OID user).
  3. If you want a one-to-one mapping, then you need to create a map the schema to the OID user (using Enterprise Security Manager).
  4. Create the RAD and add the SSO user's credentials.
  5. Test the above steps by accessing the Form using the RAD.
  Sanjay
  I keep reading that you can setup Globally Identified
  users in Oracle database that
  are authenticated by OID. But it does not seem to
  work and I cannot find explicit
  directions for setting this up. I assume there must
  be some OID/SSO site
  configuration I am not aware of.
  We have an AS 10g app, a DB 9.2, and Forms 10g
  application. I created an OID
  user, Created a Globally Identified User in DB, but
  when I log into SSO, setup my
  RAD with password "doesnotmatter", then the database
  login comes up with
  invalid Username/Password.
  Whats not right?
  We have to use OID to get Case Sensitive Passwords
  and we can get it to login
  to a normal user account with a valid matching
  password. However, passwords
  must be expired every 30-90 days and the change in
  OID during login does not
  go through to the DB account. OID does care but I
  can't have DB accounts sitting
  around with passwords that never expire and OID can't
  change them. I'd rather
  have DB accounts that cannot be logged into.
  Any else sucessfully implemented OID and Globally
  Identified DB users or found a
  way to change DB Password after login/change password
  to OID?

• Authenticating users for live stream

  The dev guide for fms, under "Developing Social Media
  Applications (
  http://help.adobe.com/en_US/FlashMediaServer/3.5_Deving/WS5b3ccc516d4fbf351e63e3d11a0773d3 7a-7feb.html
  - this is v3.5) shows how to pass in username and password to
  authenticate users as they connect.
  For live applications, the default main.asc has:
  application.onConnect = function(p_client, p_autoSenseBW)
  Unfortunately, I can't simply change the .onConnect function
  to have username & pass because the flvplayback component used
  to play back the live feed (for the clients) can't pass in
  username/pass.
  My question is a rehash of this one:
  http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=15&catid=578&threadid =1372775&highlight_key=y&keyword1=flvplayback%20connect
  which was never answered..
  Basically - anyone know how to combine flvplayback + a SERVER
  side username/pass auth scheme?

  Dear Jazib,
  If this feature is not implemented, does Cisco consider to implement the "Individual User Authentication" for a LAN-to-LAN connection ? Any info on the road-map ??
  I think there will be a big market, with demand from the customer to implement such kind of solution. Right now we have implemented several projects using a similar solution (but not on an IPSec tunnel) with individual user authentication on a VLAN (vlan authentication) using Alcatel switch.
  Best Regards,
  Engel

• Authentication works for Wiki but not File Services

  I setup Dual Open Directory Masters for 10.5 Servers, one server contains all my original directory information and is my MCX, File Services, and all the authentication works well on that server.
  Now I have a second server setup with 10.5 as a second ODM to run the Wiki Service. Both the groups and the accounts reside on my first server. I use this server to host Wiki's but I would also like to use it as a backup server for a few computers to use Time Machine Server.
  My Problem is the Authentication works great for the Wiki part of the server and the user groups and everything work fine on that. It aslo works with SSH and SFTP. However the Users will not Authenticate with AFP or SMB.
  Anyone have suggestions on how to fix that last part?

  I setup Dual Open Directory Masters for 10.5 Servers, one server contains all my original directory information and is my MCX, File Services, and all the authentication works well on that server.
  Now I have a second server setup with 10.5 as a second ODM to run the Wiki Service. Both the groups and the accounts reside on my first server. I use this server to host Wiki's but I would also like to use it as a backup server for a few computers to use Time Machine Server.
  My Problem is the Authentication works great for the Wiki part of the server and the user groups and everything work fine on that. It aslo works with SSH and SFTP. However the Users will not Authenticate with AFP or SMB.
  Anyone have suggestions on how to fix that last part?

• Bulk-enabling users for the Office 365 Messaging Service

  Is it possible to bulk-assign the Office 365 Messaging Service for Unity users after they are migrated to Office 365 from our on-premises Exchange environment instead of manually going into the Cisco Unity Connection Administration tool and performing these steps?
  4.1) Edit the user account in the Cisco Unity Connection Administration
  4.2) From the Edit drop-down menu, select Unified Messaging Accounts
  4.3) Click Add New
  4.4) Select the Office 365 messaging service you created
  4.5) Have it use the corporate email address unless it doesn't actually match the email address for the user on Office 365.
  4.6) Save
  I am hoping something can be done with the Bulk Administration Tool.... :).

  Yep its possible with BAT, i would export the users out. Modify the CSV to only reflect the users that you need, and make sure you have the 'serviceDisplayName' column populated and use the CSV to update it. The BAT column names can be found here: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsagappb.html

• On-Demand Process Running only for authenticated user

  I have noticed that an on-demand process is running only for authenticated users - for example a download of a document. For public users it doesn't. I remember seeing a similar question related to ajax on demand in this forum but couldn't locate the thread. Does anyone knows why the process is not running for not authenticated user? The result of a download for a public user is a blank page where the authenticated user gets the file by clicking on the same link.
  Thanks in advance,
  Denes Kubicek
  http://deneskubicek.blogspot.com/
  http://htmldb.oracle.com/pls/otn/f?p=31517:1
  -------------------------------------------------------------------

  Hello Denes,
  Please check if the following can help you -
  Re: AJAX on public page
  Re: Calling an application level on-demand process from JavaScript
  Regards,
  Arie.

• Getting mail authentication errors for outlook user sending mail

  When Outlook 2010 user attempts to use port 587 to send mail (to himself at this point), we see the following in the server logs:
  (User in question can attach to file shares on the same server just fine from his Windows laptop)
  Outlook config for outbound server is "port: 587, encryption TLS"
  When we connect, we get "connection interrupted by server"
  Tried other encryption methods - outlook 2010 states that server does not support the other methods (None, SSL)
  SMTPD Logs
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: connect from <Outlook Client Name>[<Outlook ClientAddr>]
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: error: validate response: error: Authentication server failed to complete the requested operation.
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: error: validate response: authentication failed for user=colin (method=DIGEST-MD5)
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/master[1407]: warning: process /usr/libexec/postfix/smtpd pid 2306 killed by signal 6
  Jul 29 22:22:58 <servername>.l-n-l.com postfix/master[1407]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
  Jul 29 22:24:12 <servername>.l-n-l.com postfix/smtpd[2270]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]
  Jul 29 22:24:12 <servername>.l-n-l.com postfix/smtpd[2270]: disconnect from localhost[127.0.0.1]
  Meanwhile: Mac clients are able to connect to smptd submission port to send mail with no problems. Based on what the logs say, it appears that the Mac mail is using a different authentication mechanism.
  Client config for outbound server is "use custom port: 587, Use SSL:Checked, Authentication: MD5 Challenge-Response"
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2261]: connect from <Mac Client Name>[<MacClientAddr>]
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2261]: 721FCEC991: client=<Mac Client Name>[<MacClientAddr>], sasl_method=CRAM-MD5, sasl_username=<username>@l-n-l.com
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/cleanup[2267]: 721FCEC991: message-id=<[email protected]>
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: 721FCEC991: from=<[email protected]>, size=573, nrcpt=1 (queue active)
  Jul 29 22:19:12 <servername>.l-n-l.compostfix/smtpd[2270]: connect from localhost[127.0.0.1]
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2270]: E722AEC9A0: client=localhost[127.0.0.1]
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/cleanup[2267]: E722AEC9A0: message-id=<[email protected]>
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: E722AEC9A0: from=<[email protected]>, size=994, nrcpt=1 (queue active)
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtp[2268]: 721FCEC991: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.55, delays=0.06/0.01/0.01/0.48, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E722AEC9A0)
  Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: 721FCEC991: removed
  Jul 29 22:19:13 <servername>.l-n-l.com postfix/pipe[2273]: E722AEC9A0: to=<[email protected]>, relay=dovecot, delay=0.13, delays=0/0.01/0/0.12, dsn=2.0.0, status=sent (delivered via dovecot service)
  Jul 29 22:19:13 <servername>.l-n-l.com postfix/qmgr[1800]: E722AEC9A0: removed
  Jul 29 22:20:12 <servername>.l-n-l.com postfix/smtpd[2261]: disconnect from <Mac Client Name>[<MacClientAddr>]
  Running OS X 10.8.4 with Server 2.2.1.
  Any thoughts on what I need to do to make OSX Server mail play nice with Outlook over the submission port?
  Thanks in advance!!

  Ok - so I think I have it almost all sussed. So for all 3 of you who might be reading this, here is what is going on.
  1) As I expected, this has nothing to do with the FQDN/Outlook problem. I actually rejoiced when I finally got far enough to have that problem with my Outlook 2007 and 2010 clients. And I don't like the recommended fix for that either. There is another way - more on that in a minute.
  2) This problem was all about authentication methods. At present, I have OS X Mail Server set for plain text and APOP only. I will be working to fix this soon - but at present I am unable to find any other combination that permits both Mac Mail and Outlook clients to authenticate properly. Mac Mail wants to use CRAM-MD5 by default. Outlook is so incompatible with CRAM-MD5 that even when there are other authentication methods available on the mail server, if CRAM-MD5 is selected on the Server then Outlook fails miserably no matter how you configure the Outlook client. Caveat: this is my own observation and I still have some experimenting to do. If you know otherwise (or can confirm more definitively), then please speak up!
  So here is the working configuration at present:
     A) Mail Server authentication set to Custom with PlainText and APOP selected, all others blank.
     B) Firewall permits inbound from ports 25 (for mail from "outside"), 587 (submission for authenticated users, TLS) 993 (SSL IMAP), and 995 (SSL POP).
     C) Mac POP Clients:
        i) For retrieval (POP) In advanced settings, use Port 995, Check "Use SSL", Select APOP for authentication.
        ii) For submission (SMTP) : Set port 587 (only), Set Authentication to "Password"
      D) Outlook 2007,2010,2013 clients
         i) For retrieval (POP), Set "Require secure logon using SPA"
        ii) In "More Settings/Outgoing Server" set it to require authentication with same credentials as inbound
       iii) In "More Settings/Advanced"
           a) Turn on Encryption for the POP3, this should change the port to 995 automatically. If it does not, fix that too.
           b) Set outgoing server to 587
           c) Set TLS for the encryption type (nothing else will work here)
  Once you do 2.A, 2.B, 2.D, you will THEN, finally encounter the FQDN problem.
  3) So Apple and a lot of folks here in the forums resolve the FQDN problem by removing one of the restrictions:
      Remove "reject_non_fqdn_helo_hostname" from "smtpd_helo_restrictions" in your postfix main.cf file.
  I have at least 2 problems with this:
     A) It removes yet another little bit of security from the setup
     B) It involves non-GUI changes to the config...which is dangerous if you use the GUI, as changes within the GUI will often result in overwrites to your changes outside the GUI. So you can easily lose this fix without being aware of it until one of your Outlook users starts screaming.
  The problem is really with Outlook and Windows not sending the FQDN in the first place. So how about we force them to do that instead? It turns out not to be too hard. I found a thread somewhere that goes into this and it works. Further, the solution remains on through reboots AND also can be made part of an automated deployment of a standard config. The only gotcha is you have to edit the registry...so you have to be careful. You only need to do this ONCE though, and the two entries are easy to find.
    C) Under HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/Tcpip/Parameters
         i) Set Hostname to the FQDN of your host (replace HOST with HOST.domain.com - or .net, or whatever)
        ii) Set NV Hostname to the FQDN of your host
        iii) Close Regedit and Reboot to have the changes take effect
  Once you do this, the FQDN problem for Outlook users goes away.
  So I am looking for suggestions to make the SMTP submission more secure. Aside from that, things are working - and I have had to make ZERO changes to config files outside of the Server GUI - a plus as far as I am concerned.

• Tacacs authentication fails for one user account for only one switch

  Hi,
  I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
  The same user account works well for other devices.
  The AAA configs are same on every devices in the network.
  Heres the show tacacs output from the switch where only one user account fails;
                Socket opens:        157
               Socket closes:        156
               Socket aborts:        303
               Socket errors:          1
             Socket Timeouts:          2
     Failed Connect Attempts:          0
          Total Packets Sent:       1703
          Total Packets Recv:       1243
            Expected Replies:          0
  What could be the reason ?
  No errors on ACS server; same rights had been given to the user account.
  Thanks to advise.
  Prasey

  Hi there,
  Does the user get authenticated in the ACS logs?
  reports and activity----> failed attempts
  ro
  reports and activity----->  passed authentications
  That will help narrow it down.
  Brad

• Reporting Services through ISA server for All Authenticated Users

  Hello colleagues.
  I have MS SQL 2012 server with Reporting Services and it work via link:
  https://reports2.domain.com/reports
  In LAN all work fine, but I want publish this resource via ISA for All Authenticated Users.
  When in publish rule I configure (in Condition) "All users" - all work fine, but when I configure "All Authenticated Users" - I have trouble on web form on
  https://reports2.domain.com/reports/Pages/Report.aspx?ItemPat...  - scripts not work, because it run how "anonymous" (I see on ISA logging) and ISA block scripts.
  I can't use "All Users", because it's not secure.
  Maybe somebody publish Reporting Services through ISA server for All Authenticated Users?
  OR maybe - how on Reporting Services configure Negotiate authenticated for scripts?

  Hi Alexander,
  All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. The AuthenticationType named RSWindowsNegotiate is supported
  by Reporting Services. To configure Windows Authentication on the Report Server, please see:
  http://msdn.microsoft.com/en-us/library/cc281253(v=sql.110).aspx
  Besides, we can publish report server via ISA server. Please note that you should use a new web port number with a new listener which shouldn’t be used by other web site for report server. Reference:
  http://social.technet.microsoft.com/Forums/forefront/en-US/1cc68996-1ce6-4d88-a30d-2bfd13fba06e/how-to-publish-ssrs-2008-through-isa-2006?forum=Forefrontedgegeneral
  Hope this helps.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support
  Katherine thanks for answer.
  Report Server service started as Domain account.
  I have in RSReportServer.config this:
  <Authentication>
  <AuthenticationTypes>
  <RSWindowsNegotiate />
  </AuthenticationTypes>
  <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>
  <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
  <EnableAuthPersistence>true</EnableAuthPersistence>
  </Authentication>
  In web.config I have this:
  <authentication mode="Windows" />
      <identity impersonate="true" />
  I can go (from Internet through ISA) to
  https://reports2.domain.com/reports  and LogOn Authentication is work, but scripts not work, because it run how "anonymous" (I see this on ISA logging) and ISA block scripts.
  Do you know where in Reporting Services configure run scripts with Negotiate authentication?

• Use Microsoft Online Directory Services as a user authentication provider for our own SharePoint farm?

  Hi,
  I've managed to configure my farm so that  Microsoft Online Directory Services (Office 365 etc.) can be used for STS authentication, but what I'm actually trying to do is allow user authentication - that is, I'm hoping to be able to use the user's
  O365 credentials to authenticate them in my own farm so they can view certain parts of it. If I need to write my own login form or authentication provider or whatever that's fine, as long as the user doesn't need to enter anything when they access my farm
  (provided they already have cached O365 credentials in their browser session).
  FWIW I actually need to be able to support the possibility that users are coming from multiple O365 tenancies, whereby each site collection will be configured to allow users from a different O365 tenancy (more or less).
  If it's not possible to do with my own development farm on a PC, it is possible if the farm is hosted in Azure?
  Thanks
  Dylan

  Hi  Dylan,
  According to your description, my understanding is that you want to use Microsoft Online Directory Services as a user authentication provider for your SharePoint farm.
  For your demand, you can configure a hybrid topology for your SharePoint farm:
  http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx
  http://technet.microsoft.com/en-us/library/dn197168(v=office.15).aspx
  Thanks,
  Eric
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
  contact [email protected]
  Eric Tao
  TechNet Community Support

• No data to retrieve in Query 1 for particular User

  Error: No data to retrieve in Query 1 for particular User
  Hello,
  We have webi report in 3.1 version which is running fine in Infoview for particular user.
  But when same report is send into Inbox of other user and if user try to run it in infoview it is giving below error.
  "No data to retrieve in Query 1"
  All the security and  group member level settings for both the user are exactly same. What could be the reason for this behaviour.
  Thanks

  Can you please check user is part of which group in enterprise receipts group.
  Also please check dynamic receipts tab of publication where data can be filtered
  Thanks,
  Swapnil

• Username not showing up in access log for authenticated users

  I'm using form-based authentication in a Java web application on Sun One Web Server v6.1 to restrict access to authenticated users. However, even after the users authenticate and access the application, the username field in the access log is showing them as anonymous.
  request.getRemoteUser() is reporting the correct username, so it just seems to be the access log that is in error. Right now it is set to the default but changing formats to custom doesn't seem to help in displaying the username.
  Here's an excerpt from the access log:
  // anonymous access attempt, redirects to login page...
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/index.jsp HTTP/1.1" 302 0
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/login.jsp HTTP/1.1" 200 3355
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "POST /profile/j_security_check HTTP/1.1" 302 0
  // at this point they are logged in and their username should be reflected in the access log, but is not:
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "GET /profile/index.jsp HTTP/1.1" 200 3532 And the relevant code from the web application's web.xml:
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>AllFiles</web-resource-name>
        <description>
                   Restricts anonymous access.
                </description>
        <url-pattern>/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>
                 Authenticated Users
                </description>
        <role-name>user</role-name>
      </auth-constraint>
    </security-constraint>I've searched the forums and the manuals but can't see anything showing that the access log's username field doesn't work with form-based authentication. Can anyone shed some light on this?

  Some background:
  The Java Servlet container has its own authentication infrastructure (which is what you configure in web.xml) which is separate from the non-Java authentication infrastructure (ACLs, etc.). If you set up authentication via ACLs the resulting user identity can (though you may configure it not to) propagate to the Java Servlet container such that request.getRemoteUser() will return it, even though no web.xml-driven authentication occurred. The coverse is not true, however: if you authenticate via a Java Realm, based on web.xml configuration, that user identity is not available to non-Java code.
  (Your web.xml snippet doesn't show you using FORM auth - but it doesn't matter, the explanation above applies in any case.)
  That is why the log file (generated from non-Java code) doesn't have access to that user. It probably should, but there's no config option today for you to make that happen.
  If you're using BASIC auth you may consider moving the authentication configuration from web.xml to ACLs as a possible workaround. It will then show up in the access logs.
  If you prefer web.xml-based authentication, consider the <SECURITY audit="true"> option in server.xml. It won't be in the access log but you'll have an audit trail of authentications, which may help.

• Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

  I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
  to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
  Users group to negotiate the site with NO password challenge at all.
  tconners

  This generally means that your SPN is not set up correctly.  Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance.  You should set an SPN similar to setspn -s http/lance.contoso.com
  corp\lance.  In your browser, you should now be able to access the SSP without prompts.  However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com.  Since you are entering
  an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication.  By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
  Kerberos.
  I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/