How to configure container trust relationships?
The EJB 2.0 specification clearly states (paragraph 19.8.1.1) that '...EJB containers
are required to provide deployers and administrators with the tools to configure
trust relationships for interactions with intermediate web or EJB containers...'.
How do you do this in WLS 6.1, and where can I find additional documentation about
the trust relationsships between containers?
Between WLS containers.
Erik
"Peter B" <@> wrote:
>
"Erik Godding Boye" <[email protected]> wrote in message
news:3be0280c$[email protected]..
The EJB 2.0 specification clearly states (paragraph 19.8.1.1) that'...EJB
containers
are required to provide deployers and administrators with the toolsto
configure
trust relationships for interactions with intermediate web or EJBcontainers...'.
How do you do this in WLS 6.1, and where can I find additionaldocumentation about
the trust relationsships between containers?Are you talking about other WLS containers or some third party app server
containers?
Peter
Similar Messages
-
How to set up trust relationship between oc4j an tomcat
Howdy
According to the EJB 2.0 spec., section 19.8.1.1, second paragraph: "EJB containers are required to provide deployers or administrators with the tools to configure trust relationships with intermediate web or EJB containers."
What tools/methods are available for OC4J?
To give my question some context:
I'm trying to set up things so that I have Tomcat (4.1.x) as a servlet container and OC4J (9.0.3) as an EJB container. I wan't Tomcat to authenticate users (using it's JDNI (LDAP) realm, and then have it forward a javax.security.Principal representing the user, when invoking EJB's on OC4J from servlets. One task in that is to make the OC4J instance trust the Tomcat instance, so that OC4J accepts a principal sent from Tomcat as already authenticated.
I've been unable to find any docs on this subject.
Any help appreciated.
best regards Christian SurlykkeChristian -- Setting up the trust relationship is described in interoperability section of the OC4J v903 Services Guide. I would probably start there.
Thanks -- Jeff -
How to verify that trust relationship has been set up successfully at client machine ?
Hello,
There is trust set up with domain group.Would you please let me know how can I verify that trust relationship has been set up correctly in such a way that i can see the users of trusted group on client machine ?
Any idea?
Note :I do not have access on Domain Controller.
Thanks and Regards,
Dipti
Dipti ChhatrapatiHi
As far as I know, trust certificates that have been exchanged between the SharePoint farm and external systems should be visible by going to the Central Admin->Security->Manage Trusts page.
Kind Regards
Bjoern
http://www.sharepointviking.com
Twitter: Follow @bjoern_rapp -
NW RFC SDK: Non-SAP to ABAP with username (trust relationship)
Hello,
I have a quite challenging non-SAP-to-ABAP RFC scenario with a trust relationship.
Hereu2019s the scenario:
An Oracle database server acts as an RFC client and calls RFC function modules in an ABAP server. (I assume the Oracle programmers are going to use NW RFC SDK 7.1 or JCo 3.0 on the Oracle server and call that from their PL/SQL based database application.)
The challenge is that I donu2019t want to use a single u201Ctechnical useru201D on the ABAP side because that would mean that all the users on the Oracle side would be mapped to one single ABAP user. Also, I donu2019t want to have to store individual ABAP passwords on the Oracle side.
Instead, I want the ABAP server to trust the RFC client the same way it might
a) trust a NetWeaver AS Java server after installing the Java serveru2019s certificate in transaction STRUSTSSO2 or
b) the way it might trust another ABAP server after configuring a trust relationship (transaction SMT1?)
The ABAP server should accept incoming RFC connections from the Oracle RFC client with just the user name and no password given and run the resulting processes in the ABAP system under the user id given in the RFC call.
I imagine the ideal solution somehow along the following lines (simplified scenario for a PC-based prototype):
- I download run a program that creates a certificate file (public key?) which I import into the ABAP system.
- The same program creates a matching file (private key?) for the RFC client.
- For reasons of simplicity, let us imagine the RFC client as a stand-alone Java SE application running on a PC.
- The Java SE application uses the JCo library to connect to the ABAP system.
- When opening the connection, it passes a username, but no password. Instead, it passes a Base64-encoded string that was generated by our key/certificate generator program.
- On the ABAP side, the function modules are run under the username used by the Java SE application when establishing the RFC connection.
Is that possible at all? How would you solve this?
Thank you very much in advance and best regards,
ThorstenHello,
Thanks a lot for your extremely high-quality replies. Iu2019ve been trying to work with them.
Frankly, just when (after Gregoru2019s and Timu2019s posts) I was hoping that working my way deeply enough into SNC, I would be able to solve my problem, Wolfgang comes along and tells me what Iu2019m aiming at wonu2019t work. Now Iu2019m confused.
The way I understand Wolfgang, the special trust an AS ABAP can put into another AS ABAP or an AS Java (u201Cremote RFC client, give me one certificate and I will accept every username if they come from youu201D) can not be put into a custom-made remote server software (such as the Oracle server application) acting as the RFC client, because when acting as RFC clients, the remote AS Java or AS ABAP use proprietary elements of the RFC protocol which are not available to me when I program my RFC client in the Oracle application.
@Wolfgang, is that correct?
Solution 1: Individual X.509 Certificates
Instead, I can establish X.509-based trust relationships at the level of individual usernames: create a certificate for each Oracle user, import them into the AS ABAP, map them to an ABAP user, and store the certificate on the Oracle side (Iu2019m still note sure about the different certificates and keys used publicly and privately here).
Solution 2: AS ABAP as User Management Engine for the Oracle Application
I can also see an alternative that would spare me the trouble of generating, importing, mapping and storing the certificates: delegate the user management to the AS ABAP and delete the (custom-built) logon and password-checking mechanism in the PL/SQL application:
Users are created centrally in CUA and distributed along with their passwords into (among others) the AS ABAP.
When a user logs on to the PL/SQL application, the username and password are sent for validation to an ABAP BAPI.
If authentication is successful, the AS ABAP returns a SAPLogon ticket which can be stored in the session context of the PL/SQL application and used in subsequent RFC calls. The password (a hash?) would only be transferred once during logon.
What do you think? Would both solutions work or am I still getting something wrong? Can you see a better alternative that would reduce
for solution 1 the administrative overhead for synchronization
for solution 2 the run-time dependency Oracle-ABAP and the change impact on the Oracle applicationu2019s user management concept?
Thanks a lot,
Thorsten -
Hi,
Could you please tell me how to configure NSP as « trusted » system in the latest trial version of NetWeaver?
Please see the attachment.
Thanks,
MarcHi Marc,
go to transaction STRUSTSSO2, generate a certificate for your system, then add it to certicate list and to ACL for your client.
There will probabely be several parameters to set in instance profile if you plan to use SSO.
Best regards,
Vincent -
Office Web Apps 2013 + could not establish trust relationship
We currently have a three tier SharePoint 2013 Farm:
1. Web Front End Server (Server 2008 R2 Enterprise) - Servername: TEST2SP013.domain.dom
2. Central Admin Server (Server 2008 R2 Enterprise) - Servername: TEST2SPCA013.domain.dom
3. SQL Server (Server 2012 Datacenter) - Servername: TESTSQL012.domain.dom
All Machines are in the same IP/Subnet.
We are trying to setup a new server (Server 2012 R2 Datacenter) (Servername: TEST022.domain.dom) to run Office Web Apps 2013 in our TEST environment to test the system before rolling in production and have had issues throughout the entire process.
The technet articles we have used are:
http://technet.microsoft.com/en-us/library/jj219435.aspx
http://technet.microsoft.com/en-us/library/ff431687.aspx
http://technet.microsoft.com/en-us/library/jj219627.aspx
We finally have what I thought was a correct setup but anytime we try to edit or view a word, excel, powerpoint document within SharePoint 2013, we receive "Sorry, there was a problem and we can't open this document. If this happens again, try opening
the document in Microsoft Word."
We found a few How-To Setup Office Web Apps sites where other people provided step-by step instructions:
blogs.msdn.com/b/sowmyancs/archive/2012/10/29/install-configure-amp-monitor-office-web-apps-2013-for-sp-2013.aspx
http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
http://blogs.technet.com/b/justin_gao/archive/2013/06/30/configuring-office-web-apps-server-communication-using-https.aspx
We reviewed the ULS logs and found the following error:
02/14/2014 13:38:40.24 w3wp.exe (0x1C04) 0x1BB4 Office Web Apps
WAC Hosting Interaction adhsk Unexpected WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed ---> Microsoft.Office.Web.Apps.Common.HttpRequestAsyncException:
No Response in WebException ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate
is invalid according to the validation procedure. at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of
inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at Microsoft.Office.Web.Apps.Common.Ht... 7bed0d51-511d-4541-a059-e2f72942e617
None of the article provide specific step-by-step instructions with using HTTPS in a test environment specifically when it comes to Self-Signed Certs through Active Directory Certificate Services.
We tried creating a Self-Signed Cert through IIS on the Office Web Apps Box which did not work.
We tried creating a Cert through Active Directory Certificate Services which did not work.
We tried adding the Cert through Central Admin > Security > Manage Trust which did not help.
We verified "get-spwopizone" is set to internal-https
We can access the Web Apps https://test022/hosting/discovery site and view the XML with no issue on any machine on our network.
We added our domain to the list of approved domains that can use Office Web Apps as well as add "Domain Users" as the security group that can "EDIT" Office Documents through Office Web Apps.
After each step, we tried performing either a system reboot or IIS Reset on the Office Web Appcs and WFE box.
My Question is how do we generate a certificate (either self-signed through IIS on the Office Web Apps Box or through AD) that will allow this application to work? I read that the Fully Qualified Domain Name needs to be in the SAN field of the Cert but when
we request it, I have no way of entering this information. I tried following http://technet.microsoft.com/en-us/library/ff625722 to manually request a certificate with a Custom SAN but that did not work either.
I am assuming the certificate issue is with the New Office Web Apps box. Is this correct?
-ChrisIf internal cert then you will have to add certificate from OWA to tursted certificates in each sharepoint server plus add the certificate from central admin in Sharepoint through manage trust. Also you will need to install p7b file (file that contains
path to root certificate to verify each intermediate certificate) for internal cert to each sharepoint server to not get certificate error.
sachin -
Hi,
I configured SAP R/3 System on portal.
and also i created transactinoal iveiw using R/3.
Let me know how to connect oracle system and how to create iview to show date which there in oracle date base.
For example
i want to show of EMP table in oracle on portal iview.
please help..
regards
praksh..Hi
You can connect to a database using a JDBC iview already present in PCD or you can create a portal archive file which contains a servlet or JSP using simple JDBC API of java .the portal component that can be used is abstract portal component or jsp dynpage but as you wite code in java you can do the same thing here.Register drivers in system before you connect it and then deploy the portal component using Netwever developer studio or uploading archive straight away through pcd inspector .Just use ip address in code if it is a distributed data base which must be in same domain as portal otherwise need to build trust relationship between two domains.hope this helps you please do not forget to give points
with regards
subrato kundu -
How to configure Email output in SD
Dear friends Pls sent me details of how to configure email output in SD module.
<REMOVED>
Thanks & Regards,
<REMOVED>Hi
Idoc Def :Standard SAP format for electronic data interchange between systems (Intermediate Document). Different message types (such as delivery confirmations or purchase orders) normally represent different specific formats, the IDoc types. However, multiple message types with related content can be assigned to one IDoc type: For example, the IDoc type ORDERS01 transfers the "logical" message types ORDERS (purchase order) and ORDRSP (order confirmation).
Idocs are of two types basic type and the extension type .we need to configure the system settings for this process .
IDOC (Intermediate Document) - A data holder.
IDOC is divided in to three parts.
Control Record
Data Record
Status Record
Control record (Table: EDIDC):
- Every IDOC has only one Control Record
- Each Control Record contains header information like:
o IDOC Number
o Direction of IDOC: Inbound or Outbound
o Date and Time of creation of IDOC
o Date and time when the IDOC was last modified.
o Message Type of IDOC
o IDOC type and extension of IDOC
o Sender and Receiver Partner
Data record (Table: EDID4):
- Data Record contains Data to be processed.
- Every IDOC has one data record with multiple segments in hierarchy.
- Segments and Hierarchy of Segments are defined by IDOC Type and Extension.
- IDOC created has to strictly follow the hierarchy; else IDOC fails with Syntax error.
- Segments which are repetitive have qualifiers attached to it
Status record (Table: EDIDS):
- Status Record describes the status of IDOC.
- Each IDOC contains one status Record with multiple status information.
- Status at each level is appended to IDOC. E.g. When IDOC is created in SAP, Status is This IDoc has been generated through a test transaction, When the IDOC is added to system it is IDOC added, IDOC ready to be transferred to Application
- Status should always be read bottom-up. Status at the top is the latest status.
- Some Example of Status Records:
o Inbound:
§ 53 - IDOC successfully posted
§ 51 IDOC Failed
§ 64 - IDOC ready to be transferred to Application
o
Outbound:
§ 30 IDOC ready for Dispatch
§ 03 IDOC passed to port OK
§ 12 IDOC Dispatched
§ 16 Functional Acknowledgement Positive
§ 17 functional Acknowledgement Negative
IDoc Type: Defines the segments and hierarchy of segments
o Transaction Code:
§ WE30 To create, change or display the IDOC type and the extension.
§ WE31 To create the Segment
- IDOC type defines the segments to be used in the IDOC.
- It also defines the hierarchy and syntax of the segments.
- IDOC extension is nothing but to add segments to standard IDOC types.
- Transaction WE31 allows you to create segments.
- Program RSEIDOC3 documents the use of each IDOC type.
Segments:
Attributes of a Segment:
- Mandatory Segment: If checked, this segment should always exist in the IDOC.
- Minimum Number:
- Maximum Number: Maximum number of times this segment can be repeated in IDOC. -
Parent Segment: Parent of this segment
- Hierarchy level: Level of hierarchy.
Segment Definition (WE31):
Messsage Type: Defines the type of data in the IDOC
o Transaction Code:
§ WE81 To create, change or display the Message type and the extension.
§ WE82 Using this transaction you can link Message Type, IDOC Type, IDOC Extension and version.
- Message type identifies the type of data IDOC holds. E.g. Orders (ORDERS), Delivery (DESADV), Invoice (INVOICE). It also defines what needs to be done with the data in the IDOC, in case of Inbound IDOC, and which data to be extracted in case of Outbound IDOC.
- Message Type is linked to a process code, which in turn is linked to a Function Module. This function module extracts from or posts data to SAP depending on direction of IDOC.
- Relation between Message Type, IDOC type and IDOC extension needs to define. Without this relation Message type or IDOC type cannot be used.
Message Type Create, Change or Display (WE81):
Setup link between Message Type, IDOC Type, IDOC Extension and Version (WE82)
Process Code: Function Module is linked to a process code. This function module in executed for inbound or outbound IDOC.
o Transaction Codes:
§ WE41 Outbound Process Code
§ WE42 Inbound Process Code
- Process codes are linked to a Function Module.
- Relationship is Message Type is linked to a Process Code which is linked to a Function Module.
- In case if you are using a stand alone code to trigger an IDOC, you need not define a process code.
RFC Destination: System definition of destination.
o Transaction Code: SM59
- RFC destination identifies the destination of IDOC.
- In case of ALE:
o In ALE the communication mode is IDOC to IDOC, hence the type used is R/3 Connections.
o It is the destination SAP system which will receive the IDOC.
o In RFC destination you define the destination SAP system details like System, Login and Password.
Go thr below links:
http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCMIDALEIO/BCMIDALEIO.pdf
http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCMIDALEPRO/BCMIDALEPRO.pdf
http://help.sap.com/printdocu/core/Print46c/en/data/pdf/CABFAALEQS/CABFAALEQS.pdf
http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCSRVEDISC/CAEDISCAP_STC.pdf
Sail -
Hi, experts
I'm trying to configure a lab environment according tutorial http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part3.html
After completing configuration, I execute cmdlet Set-IRMConfiguration -InternalLicensingEnabled $true, but get error
The remote certificate is invalid according to the validation procedure. ---> The underlying connection was closed: Cou
ld not establish trust relationship for the SSL/TLS secure channel. ---> Failed to get Server Info from https://exhv-65
94/_wmcs/certification/server.asmx.
+ CategoryInfo : InvalidOperation: (:) [Set-IRMConfiguration], Exception
+ FullyQualifiedErrorId : C810E449,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration
Then I run cmdlet Test-IRMConfiguration -Sender [email protected] and get error
Results : Checking Exchange Server ...
- PASS: Exchange Server is running in Enterprise.
Loading IRM configuration ...
- PASS: IRM configuration loaded successfully.
Retrieving RMS Certification Uri ...
- PASS: RMS Certification Uri: https://server1/_wmcs/certification.
Verifying RMS version for https://server1/_wmcs/certification ...
- WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
or AD RMS on Windows Server 2008 R2.
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
//server1/_wmcs/certification/server.asmx. ---> System.Net.WebException: The underlying connection was clos
ed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authenticatio
n.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest async
Request, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequ
est asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Obje
ct state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
uests)
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
--- End of inner exception stack trace ---
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
rviceType serviceType)
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
OVERALL RESULT: PASS with warnings on disabled features
From the error message, this issue seem to related with SSL/TLS connection. So I go back to check configuration and find out a difference to tutorial. Current SCP url is https://server1/_wmcs/certification, but in tutorial it is https://server1:433/_wmcs/certification.
On my opinion, I don't think it is the real reason.
So, how can I resolve this error? Could you give me some suggestion? Thanks in advance.
System Info:
Windows Server 2008 R2 + Exchange Server 2010 SP3 RTMHi
Please have a try with the solution on this KB article
“Error message when you try to test access from the Microsoft Dynamics CRM E-mail Router: "Incoming Status: Failure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"”
http://support.microsoft.com/kb/954584/en-us
Cheers
Zi Feng
TechNet Community Support -
I tried to redeem a digital download copy of a movie and was presented the following error:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Any guesses on what it is and how to resolve it?
ThanksHi
Abhilash Francis,
Could you tell us your scenario? What's your project? Is it a WCF service?
Looks like this is not a code issue.
Just from the error information,
it seems that you do not configure the service certificate very well so as to Server was unable to process request.
I am not completely sure what the real scenario is, but it might be a problem of that It is a WCF services application, please check these following articles to configure the service certificate.
If not, please feel free to let me know.
How to: Configure an IIS-hosted WCF service with SSL
Could not establish trust
relationship for the SSL/TLS secure channel
Hope this helps.
Best regards,
Kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
How to configure SCSM exchange connector when exchange server is in different domain.
We installed/configured SCSM in ABC domain and now need to use exchange connector for incident alert mail.
But exchange server is in different domain, say XYZ.
How do we configure?
Thanks,
AbhilashCannot configure trust at AD level. But in the config article, following points are given.. but not clear on first 2 steps. Also, we did not find option to "navigate to certificate template and right click certificate templates".
sorry, i dont have much exp with certificates. If steps are described little more clear, would be helpful.
a. If your Service Manager management server does not have a trusted relationship with the Exchange Server, open Certificate Services and create a duplicate copy of the Web Server Certificate Template. Ensure that Private Key Export and Publish
in AD are selected, and then add Read and Enroll permission to Authenticated Users.
b. In Certificate Services, navigate to Certificate Template and right-click Certificate Templates. Click New and then click Certificate Template to Issue. Select the template that you created in the previous step.
c. In Exchange Server, open the Microsoft Management Console and add the Certificates snap-in for the local computer. Right-click the Personal logical store, and then hover over All Tasks.
d. Select Request for New certificate and in the Certificate Enrollment wizard, select Active Directory Enrollment Policy and select the template that you created previously. When you select the certificate, you can click More Information to type
the Exchange Server’s FQDN name as the common name in the Subject tab. You can also type the FQDN name as the Friendly Name in the General tab.
Thanks,
Abhilash -
RFC Trust Relationship - Authentication
Hello Experts,
Could anyone tell me what really happens behind the scenes when you setup the RFC Trust Relationship on ABAP systems?
Do the trusted system certifcate imported to the trusting system?
Do the systems exchange the certificates/keys while authentication?
Is there any help document available giving more details about what happens behind the scenes of RFC trust relationship configuration and how the single sign on possible?
One on-site consultant said that the systems exchange the certificates, and another consultant said that they exchange keys and the data is encrypted. If there is no SNC enabled how is the data is encrypted.
And also I do not see the trusted system certificate in trusting system "certifcate list".
My assumption is adding 2 systems to RFC trust relationship neither adds trusted system certificate into the trusting system nor exchange keys between systems for RFC Call. The calling system(trusted system) gets authenticated based on S_RFCACL authorization in trusting system.
Please share your thoughts or any relevant help documents
Thanks,
HimadamaHi
Please go to this link :
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/47/95443fbee8700fe10000000a42189d/frameset.htm
it also has clear doucmentation and steps to setup a trusted relationship:
pay attention to the following three pointers from the above link for using trusted RFC
"● A user in the target system
● Authorizations for the applications he or she needs to use in the target system
● Authorization for the object S_RFCACL
This authorization object regulates a useru2019s right to log onto a system via a trusted connection"
Regards -
How to configure SCCM 2007 to deliver apps to DMZ servers
I'm needing some clarification and assistance here. I'm providing some background as well. This is my first foray in to this process, so the simpler and more thorough the explanations are, the better it will be for me.
We're running Config. Mgr. 2007 in Mixed Mode (can't go Native at this point) in our corporate domain. We also have 20 servers in our DMZ. Some are in workgroups. The rest are members of one
of three AD Domains in the DMZ. There is no trusted relationship with our internal corporate domain or between the domains in the DMZ. I want to use SCCM to distribute a limited number of applications to all the DMZ servers, automating the process
like we are currently doing, inside our firewall.
Here's the limited understanding I have from reviewing other posts, along with additional questions. Please feel free to correct any misconceptions and also fill in the blanks.
I'f I get the process correctly, the client is manually installed on DMZ servers. They will communicate over port 80 (HTTP). A SLP is required, which can be set up as part of the client command-line
installation. Alternatively we can set up a secondary site in the DMZ which will communicate over port 1433 to our internal network.
The questions I have are these. What box does the SLP have to be defined on if we not using a secondary site? Also, is it a component of the client installation that is enabled on one server in the DMZ, or is it inside the firewall? How
are DMZ servers directed to it?
If we use a secondary site in the DMZ, how does that affect our overall configuration? Currently we're using a single SCCM server, no children.
Thanks in advance for your assistance and information
Thanks, DinoHere's a good guide to get you started :
http://blog.coretech.dk/wp-content/uploads/The-complete-guide-to-System-Center-Updates-Publisher-2011-V1.01.pdf
Benoit Lecours | Blog: System Center Dudes -
Hi,
We have 3 domains
DOM1.domain.local (top domain)
DOM2.DOM1.domain.local (sub domain)
DOM3.DOM1.domain.local (sub domain)
When we setup a brand new RDS 2012 server in DOM2 we can't add users from DOM3 and vica versa.
When we install a RDS 2012 server in DOM1 we can't add users from DOM2 and DOM3.
The error message says that the network path was not found. And to check for a two-way trust.
We can't change settings on the trust relationship, because it is a child domain, it will always be a two-way trust. (the validation works without any problem)
Adding users from the other subdomain to the local group "Remote Desktop Users" isn't a problem. But that doesn't work any more in server 2012.
Anyone an idea?
Regards
StijnHi,
After referring your post, I can understand that you can’t able to add users from another domain.
Can cross-domain user can able to login successfully?
In your situation, I will suggest you to change Trust type to cross-forest trust.
Understanding when to Create a Forest Trust:
http://technet.microsoft.com/en-us/library/cc771397.aspx
How to Configure Cross-Forest Administration:
http://technet.microsoft.com/en-us/library/bb232078(v=exchg.80).aspx
Refer below post (Answered By :Mark McNichols):
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b243ec10-ae0c-4501-94b7-acd3a4d1e90e/rds-and-sid-error-with-twoway-trust
The article which is described in above post by Mark McNichols (KB972133):
http://support.microsoft.com/kb/972133
Might This Helps!
Thanks. -
Hi,
SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
the SharePoint Logs I found out the below exception
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4) 0x2D24 SharePoint Foundation Database
8u1d High Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4) 0x2D24 SharePoint Foundation Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4) 0x12AC SharePoint Foundation Database
8u1d High Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4) 0x12AC SharePoint Foundation Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:55.54 mssearch.exe (0x0864) 0x2B24 SharePoint Server Search Propagation Manager
fo2s Medium [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes) [indexpropagator.cxx:1607] d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx
11/30/2011 12:14:55.99 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
75dz High The SPPersistedObject with
Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()
at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip...
11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
75dz High ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask) at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
8xqx High Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Timer
2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
sourceSids, Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName() at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
T denyRightsMask) at Microsoft.SharePoint.Administrati...
11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Timer
2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl) at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()
at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
currentVe...
Please guide me on the above issue ,this will be of great help
Thanks.I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped.
The problem is caused by User profile Synch Service:
UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
The trust relationship between the primary domain and the trusted domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName() at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
identifier, T grantRightsMask, T denyRigh...
08/23/2014 13:00:20.96* w3wp.exe (0x2204)
0x293C SharePoint Portal Server User Profiles
eh0u Unexpected ...tsMask) at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl() at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties() at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
Please let me know if you any solution found for this?
Regards,
Kunal
Maybe you are looking for
-
Background and forground color
Hi, I'd like to set the bg color and fg color on screen, form and item. Is there any way to make it? Thanks.
-
Posting Key Not Assigned to Account Key
Hi SAP SD Gurus I am getting a remark that Posting Keys has not been assigned to Account Key ZCD This account key ZCD has been assigned to a condition type ZCUD in my pricing procedure.Not the Accounting document is getting getting released in VF02 P
-
Every time I try to sign on it says that ichat lost the connection to the AIM account and the server connection was unexpectedly lost. How can I fix this?
-
After updating to ios 5.1 my iphone 4s went dead . Cannot restore in iTunes error message 28 and 1602. Help
-
As of recently, whenever I move my mouse (right, left, up or down) the entire screen moves-but in the opposite direction. This has never happened before and is getting quite annoying. About 2 years ago I replaced the mighty mouse with a Logitech one.