HR auths - P_PERNR

Hi Authorisations people,
I have a quick question about the P_PERNR authorisation object: If a role has both P_PERNR and P_ORGIN, how does it behave for someone's own data if there is no applicable entry in P_PERNR? Does it take the P_ORGIN permissions or does it just disallow the operation? I guess the question is, if P_PERNR exists, does SAP then ignore P_ORGIN for own personnel number accesses?
Hope u understand the question, thanks in advance for any answers.
/ Richard

Hi,
First of all lets take
P_ORGIN what it does--- gives access to a set of people's data (to read change etc).
Now in this there are two scenarios
1 you are a part of this set:
So when you are trying to manipulate your data
the P_PERNR takes precedence over P_ORGIN so if in
P_PERNR you have Exclude value (E) (value for PSIGN in P_PERNR) set for set of infotypes for which you have access to from P_ORGIN then you will not be able to go to your data even if P_ORGIN allows you to.
2 you are not a part of this set of people (to which P_ORGIN gives you access) you have access to then
again it checks for P_PERNR for access regarding what access you have got for ur own data.
and gives access to the Infotypes for which you have Include (I) set for PSIGN field in P_PERNR.
Now this P_PERNR works iff,
1.OOAC switches are activated
2. You have the 0105 infotype for the System ID maintained.
otherwise the P_PERNR has no controlling effect whatso ever.
Hope this helps..
Manohar

Similar Messages

Auth setting for IT0006 lock record

Hi All,
Can anyone guide me how to set up authc object for locking IT0006 record through portal webdynpro address application?
I have following setup but i am getting "you have no authorization to insert" error message. I am not sure what we are missing in auth. If I use PZ02 (address) transaction in R/3 for same user, It's locking the record and working as expected. With same authorization if i use it in webdynpro address application.I am getting 'you do not have authorization to insert' error message.
Auth Object :P_ORGIN
INFTY : 0006
SUBTY: *
AUTHC: R
PERSA: *
PERSG: *
PERSK: *
VDSK1: *
Auth Object: P_PERNR
AUTHC: E
PSIGN: I
INFTY : 0006
SUBTY: *
If I use "Authc= R, W" in P_ORGIN, I am able to edit the record through portal but it is not locking the record.
Trace
AUTH
P_PERNR RC=4 AUTHC=W;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=W;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=W;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=W;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_PERNR RC=4 AUTHC=E;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=E;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=0 AUTHC=E;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=E;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_PERNR RC=4 AUTHC=S;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=S;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=S;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=S;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
RFC 113719 HRXSS_PER_MODIFY Prog:SAPLHRXSS_PER_P0006_USRow:
RFC 336 HRXSS_PER_CHECK Prog:SAPLHRXSS_PER_MACRow:
Thanks!
Lakshmikandh

Hi All,
Can anyone guide me how to set up authc object for locking IT0006 record through portal webdynpro address application?
I have following setup but i am getting "you have no authorization to insert" error message. I am not sure what we are missing in auth. If I use PZ02 (address) transaction in R/3 for same user, It's locking the record and working as expected. With same authorization if i use it in webdynpro address application.I am getting 'you do not have authorization to insert' error message.
Auth Object :P_ORGIN
INFTY : 0006
SUBTY: *
AUTHC: R
PERSA: *
PERSG: *
PERSK: *
VDSK1: *
Auth Object: P_PERNR
AUTHC: E
PSIGN: I
INFTY : 0006
SUBTY: *
If I use "Authc= R, W" in P_ORGIN, I am able to edit the record through portal but it is not locking the record.
Trace
AUTH
P_PERNR RC=4 AUTHC=W;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=W;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=W;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=W;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=W;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_PERNR RC=4 AUTHC=E;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=E;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=0 AUTHC=E;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=E;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_PERNR RC=4 AUTHC=S;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=S;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=S;PSIGN=*;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=E;INFTY=0006;SUBTY=1;
P_PERNR RC=4 AUTHC=S;PSIGN=I;INFTY=0006;SUBTY=1;
P_ORGIN RC=4 INFTY=0006;SUBTY=1;AUTHC=S;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
RFC 113719 HRXSS_PER_MODIFY Prog:SAPLHRXSS_PER_P0006_USRow:
RFC 336 HRXSS_PER_CHECK Prog:SAPLHRXSS_PER_MACRow:
Thanks!
Lakshmikandh

Excessive HR authorisation check (53,500) on one transaction

Hi experts,
We have a situation where one of our HR administrators runs PA20, for example, and this takes an excessive time to load. There is a timer message in the bottom of the screen (which i have never seen before) stating Authorisation Check 5% and carries on up to 100%
We turned on the PERNR authorisation check about 5 weeks ago, which should check object P_PERNR in your authorisations. However, for this one user, the only check being carruied out is P_ORGIN.
This user had 53,500 checks in the trace file from just executing PA20, not even entering a personnel number at this point!
The other user just had 30 checks - which would be regular enough.
Start of trace file for excessive user (no P_PERNR check)
21:39:32      P_ORGIN     RC= 0 INFTY=0000;SUBTY= ;AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
21:39:37      P_ORGIN     RC= 4 INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=*;PERSG=*;PERSK=*;VDSK1=*;
21:39:37     P_ORGIN     RC= 0 INFTY=0000;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
21:39:37     P_ORGIN     RC= 0     INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=AT02;PERSG=1;PERSK=AB;VDSK1=AT02;
Start of trace file for normal user (P_PERNR check)
21:48:54     P_PERNR     RC=          0     AUTHC=W;PSIGN=*;INFTY=0001;SUBTY=' ';
21:48:54     P_ORGIN     RC=          0     INFTY=0001;SUBTY=' ';AUTHC=W;PERSA=*;PERSG=*;PERSK=*;VDSK1=*;
21:48:54     P_PERNR     RC=          0     AUTHC=W;PSIGN=*;INFTY=0003;SUBTY=' ';
21:48:54     P_ORGIN     RC=          0     INFTY=0003;SUBTY=' ';AUTHC=W;PERSA=*;PERSG=*;PERSK=*;VDSK1=*;
21:48:54     P_PERNR     RC=          0     AUTHC=W;PSIGN=*;INFTY=0002;SUBTY=' ';
Can anyone help? Surely 53,500 authorisation checks is a little too extreme! It is not happening to other HR users so it is very strange why just this one!
Thanks,
Bernard.

I have noticed now in our Quality client that there is a P_PERNR check taking place 1st as is expected.
15:34:02:946 AUTH    - - -   S_TCODE    RC=0 TCD=PA20;
15:34:02:985 AUTH    - - -   P_PERNR    RC=0 AUTHC=R;PSIGN=*;INFTY= ;SUBTY= ;
where as in our production client there is a P_ORGIN check taking place 1st
21:39:31:991 AUTH    - - -   S_TCODE    RC=0 TCD=PA20;
21:39:32:15 AUTH    - - -   P_ORGIN    RC=0 INFTY= ;SUBTY= ;AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
Or configuration of the PERNR check in table T77S0 is the same in both clients.
Are there any settings in PA20 or user defaults that would cause this. From my analysis, the trace file is showing up with one particular personnel area for the majority of the 53,500 checks!
Any help appreciated!

ESS Services Problem - PLOG and P_PERNR

Hi everyone.
We are currently upgrading from ECC 5 to ECC 6 and I am facing an ESS issue and have a few questions.
First, have the Webdynpro services changed between release 5 and 6? Webdynpro service sap.com/pcui_gp~xssutils/XssMenuArea doesn't show up under SU24 when reviewing auth objects PLOG and P_PERNR in ECC 6, our upgraded system. In our current ECC 5 landscape, this service is available and viewable under these auth objects. Is this service available in ECC 6.0?
Second question - how do I manually add this service to be checked/proposed for PLOG and P_PERNR? I receive an error when clicking the change/display auth button in PFCG when workign with our ESS role. The error says
"Authorization default values of transaction B690099F24B95252AC6B70AEBD3C12 for object PLOG inconsistent"
The character string refers to service sap.com/pcui_gp~xssutils/XssMenuArea. How can I add this service to auth objects PLOG and P_PERNR?
Any help would be greatly appreciated and rewarded!
Todd

there are some changes in the service in the functionality wise, but the basi structure is more or less, Same roles
and profiles can be used

Create organis'l level field for auth. field that occurs in multiple object

Hello,
When trying out PFCG_ORGFIELD_CREATE I ran into a problem:
I want to have an organisational level field for BEGRU in C_STUE_BER (Auth.grp in BOM-header);
there are other auth.objects that also have a field called BEGRU (eg M_MATE_MAR, M_MATE_MAT, F_BKKA_BPG);
we have roles that have several of these objects.
Running PFCG_ORGFIELD_CREATE leads to problems in those roles that have several of the objects with a field BEGRU. In general the values to be assigned to BEGRU in different objects is not the same.
The only solution i can think of is to have per role only one object with field BEGRU.
This would mean a serious redesign of our roles :-(.
Is there another option?
Thanks for your contributions.
John Hermans

Another option is to create transactions for the BEGRU and maintain SU24 for them.
But that is not scalable for large BEGRU values and has an implication for menus and number of transactions, in addition to the number of roles...
But BEGRU fields should be used with caution, as the objects which use them are mostly not intended to be scalable (like P_PERNR is scalable....) so Su24 or well documentented "Maintained" authorizations might be an option to switch to.
Cheers,
Julius

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Help need in creation of auth object

Hi all,
can anyone assist me in creating an auth object to restrict users based on plant.
I would appreciate i anyone of you could send me screen shots of the procedure.
My email id is
<b><removed by moderator></b>
Thanks
Venki

Hi,
Basically you can use derived role and restric users based on plant...
Other than standard objects do you want to create auth objects.
For more information on you can follow link. info on objects
http://help.sap.com/saphelp_47x200/helpdata/en/ea/e9b0054c7211d189520000e829fbbd/frameset.htm
Cheers
Soma

Auth.log - Rejected send message, 2 matched rules; type="method_call"

Hi,
i'm checking the /var/log/auth.log and I found out that there is this error message
Jun 9 20:19:56 localhost polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.23 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
if think the problem is in /etc/dbus-1/system.conf
<deny send_type="method_call"/>
I'm tempted to change this to allow, but I won't as long as I don't understand why this deny-rule is implemented.
Last edited by miky76 (2012-06-09 20:41:06)

That deny rule is the default. Things in /etc/dbus-1/system.d override it. There's a ConsoleKit.conf file in there that describes what interaction ConsoleKit actually allows.
That said, ConsoleKit.conf also denies this access:
<deny send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.DBus.Properties" />
I don't know why this is denied - most likely it's to prevent private data from being stolen from console-kit-daemon in this way. I don't see any such private data stored in properties on ConsoleKit, though:
$ dbus-send --print-reply --system --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Introspectable.Introspect
method return sender=:1.5 -> dest=:1.14 reply_serial=2
string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<node>
<interface name="org.freedesktop.DBus.Introspectable">
<method name="Introspect">
<arg name="data" direction="out" type="s"/>
</method>
</interface>
<interface name="org.freedesktop.DBus.Properties">
<method name="Get">
<arg name="interface" direction="in" type="s"/>
<arg name="propname" direction="in" type="s"/>
<arg name="value" direction="out" type="v"/>
</method>
<method name="Set">
<arg name="interface" direction="in" type="s"/>
<arg name="propname" direction="in" type="s"/>
<arg name="value" direction="in" type="v"/>
</method>
<method name="GetAll">
<arg name="interface" direction="in" type="s"/>
<arg name="props" direction="out" type="a{sv}"/>
</method>
</interface>
<interface name="org.freedesktop.ConsoleKit.Session">
<method name="SetIdleHint">
<arg name="idle_hint" type="b" direction="in"/>
</method>
<method name="GetIdleSinceHint">
<arg name="iso8601_datetime" type="s" direction="out"/>
</method>
<method name="GetIdleHint">
<arg name="idle_hint" type="b" direction="out"/>
</method>
<method name="Unlock">
</method>
<method name="Lock">
</method>
<method name="Activate">
</method>
<method name="GetCreationTime">
<arg name="iso8601_datetime" type="s" direction="out"/>
</method>
<method name="IsLocal">
<arg name="local" type="b" direction="out"/>
</method>
<method name="IsActive">
<arg name="active" type="b" direction="out"/>
</method>
<method name="GetLoginSessionId">
<arg name="login_session_id" type="s" direction="out"/>
</method>
<method name="GetRemoteHostName">
<arg name="remote_host_name" type="s" direction="out"/>
</method>
<method name="GetDisplayDevice">
<arg name="display_device" type="s" direction="out"/>
</method>
<method name="GetX11DisplayDevice">
<arg name="x11_display_device" type="s" direction="out"/>
</method>
<method name="GetX11Display">
<arg name="display" type="s" direction="out"/>
</method>
<method name="GetUnixUser">
<arg name="uid" type="u" direction="out"/>
</method>
<method name="GetUser">
<arg name="uid" type="u" direction="out"/>
</method>
<method name="GetSessionType">
<arg name="type" type="s" direction="out"/>
</method>
<method name="GetSeatId">
<arg name="sid" type="o" direction="out"/>
</method>
<method name="GetId">
<arg name="ssid" type="o" direction="out"/>
</method>
<signal name="Unlock">
</signal>
<signal name="Lock">
</signal>
<signal name="IdleHintChanged">
<arg type="b"/>
</signal>
<signal name="ActiveChanged">
<arg type="b"/>
</signal>
<property name="idle-hint" type="b" access="readwrite"/>
<property name="is-local" type="b" access="readwrite"/>
<property name="active" type="b" access="readwrite"/>
<property name="x11-display-device" type="s" access="readwrite"/>
<property name="x11-display" type="s" access="readwrite"/>
<property name="display-device" type="s" access="readwrite"/>
<property name="remote-host-name" type="s" access="readwrite"/>
<property name="session-type" type="s" access="readwrite"/>
<property name="user" type="u" access="readwrite"/>
<property name="unix-user" type="u" access="readwrite"/>
</interface>
</node>
Note those properties at the end of that list, which are the same things you can learn by running ck-list-session.
If you want to change the deny to allow, you may as well do it in the ConsoleKit.conf line, so it's specific to this usage, rather than allowing any method call in the world called through dbus.
FWIW, I can reproduce this same error, trying to do it "by hand", though I don't use GNOME, as you do:
$ dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.ConsoleKit.Session
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.17" (uid=1000 pid=13892 comm="dbus-send --print-reply --system --type=method_cal") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=751 comm="/usr/sbin/console-kit-daemon --no-daemon ")

Implement Hierarchy's On InfoObject that is Not Auth Relevant.

Hello Friends,
Please Advice me in this issue.
I am Upgrading from 3.1 to 7.0.I am able to implement hierarchies when the Infoobject is auth relevant.
There are hierarchies in 3.1 on Infoobjects which are Not Auth Relevant.
Like 0PLANT ..I don't know how to implement using this.
Is there any way to implement hierarchies on InfoObjects which are not auth relevant in BI 7.0 using Analysis authorizations.
Or Do i need to make thes non auth relevant InfoObjects of 3.1 to auth relevant in 7.0 and implement hierarchies.
Please advice.
Thanks,
Ram

Hi Keerti,
Can you please tell me how to implement hierarchy with out making 0PLANT auth relevant.
We are upgrading from 3.1 to 7.0.
0PLANT is not auth relevant in 3.1 but it has Hierarchies.
So business team wants to have the same in 7.0 with out making it auth relevant.
Please help me in doing this.
Thanks
Ram

How do I use Kerberos Auth in Java 6?

Hi,
I have a problem with the Kerberos authentication. I have a simple class that tries to connect to an LDAP server using Kerberos. It works great when I use java 5, but with java 6 it fails.
Here is part of the code:
        System.setProperty("java.security.auth.login.config", "/etc/login.conf");
        System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
        System.out.println("Trying to login using kerberos...");
        KerberosCallbackHandler kerberosCallbak = new KerberosCallbackHandler();
        LoginContext loginContext = new LoginContext(loginContextName, kerberosCallbak);
        loginContext.login();
        System.out.println("Login succeeded");
        //Login succeeds on both java 5 and java 6
        Subject.doAs(loginContext.getSubject(), new JndiAction());
        System.out.println("Connected through Kerberos successfully");The failure happens in the JndiAction:
    public class JndiAction implements PrivilegedExceptionAction<Integer>
        public Integer run() throws Exception
            String username = user + "@" + domain;
            System.out.println("User to connect to Kerberos is " + username);
            System.out.println("Provider URL is: " + url);
            Hashtable<String, String> env = new Hashtable<String, String>();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put("java.naming.ldap.derefAliases", "finding");
            env.put(Context.PROVIDER_URL, url);
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            System.out.println("Trying to create context...");
            new InitialLdapContext(env, null);
            return 0;
    }An exception occures when calling new InitialLdapContext:
Exception in thread "main" java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Unknown Source)
        at KerberosAuth.connectKerberos(KerberosAuth.java:71)
        at KerberosAuth.main(KerberosAuth.java:29)
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
        at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
        at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
        at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
        at javax.naming.InitialContext.init(Unknown Source)
        at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
        at KerberosAuth$JndiAction.run(KerberosAuth.java:155)
        at KerberosAuth$JndiAction.run(KerberosAuth.java:1)
        ... 4 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
        ... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        ... 19 more
Caused by: KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
        at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
        ... 22 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
        ... 27 moreI want to emphasize that the login function did succeed, and that I try to connect to the same server with the same username and password and same configuration. With java 5 it works, with java 6 it does not.
Does anybody know what I should do to solve this problem?
TIA,
Dikla

Note: This thread was originally posted in the [Java Secure Socket Extension (JSSE)|http://forums.sun.com/forum.jspa?forumID=2] forum, but moved to this forum for closer topic alignment.

How do I use my own Custom Auth/Authentication/Entitlement (Token)?

[ Background ]
Adobe Access DRM provides for 3 authentication mechanisms:
Anonymous - Licenses are issued irregardless on if there is/isn't a valid authentication token attached to the license request.
UsernamePassword - Licenses are ONLY issued if the license request has a valid Adobe-Access-Server-Issued authentication token.
Custom - Licenses are ONLY issued if there is a valid cusom authentication token attached to the license request.
Typically, customers already have some authentication scheme in place and choose to re-use that system, instead of leveraging Adobe Access' built-in usernamePassword support. For this to succeed, accomodations must be made during packaging time, on the client device, and at the Adobe Access license server endpoint.
[ More Background ]
Here's a forum thread that prompted this thread: http://forums.adobe.com/message/5085330#5085330
[ Recipe ]
1. Adobe Access DRM Policy is created that specifies a "custom" authentication token. As of Adobe Access 4.0, the tools that ship with the Java SDK cannot create a DRM policy with "custom" authentication out the box; a small Java application will have to be written to do this, which is covered in the thread posted above.
2. Content is packaged using this custom_auth policy.
3. Client device performs authentication via whatever channel already exists for you to perform authentication (e.g. SAML tokens, etc...)
4. Client device sets the authentication token: DRMManager.setAuthenticationToken()
5. Client device attempts to acquire a license for the content created in step #2: DRMManager.loadVoucher();
5a) Because step #4 set the authentication, all license requests going forward will automatically have this custom auth token appended to it
6. License server receives request & extracts custom auth token to parse & perform additional entitlement checks
7. Licnese server generates a license to return to client device.
[ Server Code Snippet (RefImplLicenseReqHandler.java) ]
try {
ServletInputStream in = request.getInputStream();
ServletOutputStream out = response.getOutputStream();
HandlerConfiguration context = super.getHandlerContext();
ServerCredential licenseServerCred = getLicenseParams().getLicenseServerCred();
licenseHandler = new LicenseHandler(context, in, out, licenseServerCred);
licenseHandler.parseRequest();
List<? extends LicenseRequestMessage> requests = licenseHandler.getRequests();
// Multiple request in one message is not supported in FAXS 2.0 or 3.0 client.
for (LicenseRequestMessage licenseReq : requests) {
     try {
// TODO: If custom authentication is specified in the DRM policy, here is where
// you can retrieve the custom authentication token and perform custom parsing to
// determine further business rules and entitlement before issuing a license.
// The "Custom Authentication" will look like:
// 1. Client device obtains auth token using some other channel
// 2. Client device sets auth token by calling DRMManager.setAuthenticationToken()
// 3. Client makes a license request by calling DRMManager.loadVoucher()
// 4. Adobe Access Server receives request and:
// 4a) Determines Custom Auth is required by DRM Policy: licenseReq.getContentInfo().getContentMetadata().getPolicies()[0].getLicenseServerInfo(). getAuthenticationType();
// 4b) Retrieves Custom Auth token for custom parsing/handling: licenseReq.getRawAuthenticationToken()
// 5. If there are no errors when parsing the custom token, Adobe Access Server generates a license.
                                                  V2ContentMetaData metadata = licenseReq.getContentInfo().getContentMetadata();
                                                  ApplicationProperties applicationProperties = null;
                                                  String usageModelString = null;
                                                  if (metadata != null) {
                                                            applicationProperties = metadata.getCustomProperties();
                                                            if (applicationProperties != null) {
                                                                      usageModelString = applicationProperties.getSingleValueAsUTF8String(DEMOMODE);
cheers,
/Eric.

Google Search: '''firefox create a persona'''
* '''Personas for Firefox''' | How to Create Personas<br>https://www.getpersonas.com/en-US/demo_create
* '''Personas for Firefox''' | Frequent Questions<br>http://www.getpersonas.com/en-US/faq
* '''Personas for Firefox''' | Getting Started<br>http://www.getpersonas.com/en-US/getting_started
'''I think you'd have a lot more fun with Styles though''', personas tend to hide things on toolbars, styles can be more helpful (or just as bad)
* '''Stylish''' :: Add-ons for Firefox<br>https://addons.mozilla.org/en-US/firefox/addon/stylish/
* '''Restyle the web with Stylish!''' - userstyles.org<br>http://userstyles.org/
* '''Scrollbar Context Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/54
* '''Scrollbar Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/52
* '''Link Warning''' - Themes and Skins for Mozilla - userstyles.org<br>http://userstyles.org/styles/1301
* '''Tabs, Enlarge list-all-tabs button''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/18553
* '''Tabs Bar Minimal Size''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/9043
* '''Tab Color Underscoring active/read/unread (Fx3.6)''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/24728

ITunes auth problem on Windows 7 64-bit

Hi,
I experience weird issues with the iTunes auth-process on a Windows 7 (64bit) machine.
When I try to authorize my computer it results in a message telling me something about connection issues. Anyhow, it seems the computer is kind of activated since I can deauth my computer. If I try auth'in my computer several times, it also allows to deauth it several times until it says that it is not auth'd anymore.
My tries so far to solve this
- updated to latest iTunes
- deactivated, even uninstalled firewall (used NIS2011), also disabled the Windows Firewall after that
- checked hosts file
- deleted SC Info
- even tried with creating new library
- disabled User Access Control in Windows
- disabled all startup items in "msconfig"
- tried to activate with same account a different computer in the same network, I was able to play movies using the private home sharing feature, also activation was no problem
- re-installed Apple Software (including iTunes, Quicktime and Safari)
- checked Diagnostic within iTunes with no problems
So my guess is that it could have something to do with 64 bit or any hard- or software related issue at my computers side.
Detailed procedure:
1 - Start iTunes, click Store > Authorize > Enter credentials
and now the weird thing is that the "authorize" button says "deauthorize", no matter how often I try to deauthorize before.
2 - Repeated step 1 since it says always the same error message (connectivity alert)
3 - Playback of any DRM protected media does not work (movies). It asks for authorization again but fails to do so with the same message again
4 - Deauthorizing is possible and I noticed that I can do this as many times as I tried to authorize before.
Does anyone have a suitable idea for helping me out in this issue? I never had problems on my mac before, nor on a Windows 7 32bit system.
My 64 bit machine is only used with one iTunes account.
I already contacted the iTunes Support via Mail but they could not help me since this could be a technical issue.
Any help is much appreciated.
Thanks in advance,
Benjamin

After numerous calls with Apple support, I finally got it working
For me, the problem was the following:
1. Make sure that Internet Explorer is your standard browser for windows (if not...make it)!
2. In Internet Explorer go to "Internet Options" then "Advanced"
3. In the list scroll down to "Security" and UNCHECK "Check for server certificate revocation"
4. Make sure that (a bit further down) "Use SSL 3.0" and "Use TLS 1.0" are CHECKED.
5. Delete the "SC Info" folder once again...
6. Run iTunes in Admin-Mode
After that, I was able to activate my computer and I changed my browser back to Firefox afterwards...
Hope that will help you too !!
Cheers

FORM AUTH: JDBCRealms WILL NOT WORK     HELP ! ! !

hello,
i have followed the tomcat JDBCRealms setup.....but it never allows me through to secure page it always redirects to loginerror....when using valid user/pass pair !!!!!!!!!!!!!!!!
i am a student and this is part of a reasearch project to compare .NET with J2EE.........
HELP
my project details are below
. loginForm.html <<<<<<<<<<<<<<<<<<<<<<<<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Test: Login Form</title>
</head>
<h1>Login Form</h1>
     Welcome to the login page. You will have to authenticate to get access to the secure area:
<form method="POST" action="j_security_check">
Username: <input type="text" name="j_username">
Password: <input type="password" name="j_password">
<input type="submit" value="Login">
<input type="reset" value="Reset">
</form>
</html>
web.xml <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcatRole</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>tomcatRole</role-name>
</security-role>
</web-app>
extract from server.xml (in tomcat 3.2.2/conf dir) <<<<<<<<<<<<<<<<<<
<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@MADDZILLA:1521:Store" connectionName="SYSTEM" connectionPassword="manager" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />
server.xml <<<<<<<<<<<<<<<<<<<<<<altered part...

added jdbcrealm request
<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@MADDZILLA:1521:Store" connectionName="SYSTEM" connectionPassword="manager" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />
. tables created for tomcat security example <<<<<<<<<<<<<<<<create table users
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
create table roles
role_name varchar(15) not null primary key
create table user_roles
user_name varchar(15) not null,
role_name varchar(15) not null,
primary key( user_name, role_name )
INSERT INTO users (user_name, user_pass) VALUES (tomcat,tomcat);
INSERT INTO users (user_name, user_pass) VALUES (user1,tomcat);
INSERT INTO users (user_name, user_pass) VALUES (user2,tomcat);
INSERT INTO users (user_name, user_pass) VALUES (user3,tomcat);
INSERT INTO roles (role_name) VALUES (tomcatRole);
INSERT INTO roles (role_name) VALUES (otherRole);
INSERT INTO user_roles (role_name, user_name) VALUES (tomcatRole,user1);
INSERT INTO user_roles (role_name, user_name) VALUES (otherRole,user2);
INSERT INTO user_roles (role_name, user_name) VALUES (otherRole,tomcat);
INSERT INTO user_roles (role_name, user_name) VALUES (tomcatRole,tomcat);

I've tried jdbc realm, and it works fine for me. I'm not using the form_auth, rather it pops-up a network login dialog for me. If you need details, get in touch on [email protected]

HR PA and Planning (PD profile) changes not updating auth profiles of users

PROBLEM:
We are on ERP version 6 since 2008. We started experiencing this problem December last year and now it is all over our system. As soon as employees are transferred or new appointments are made in HR on PA or if the PD profile is changed in planning the changes cannot be seen by the user in their auth profile. The user can literally not see the newly appointed employee on the org structure or even newly created org units and positions are not visible. When RE_RHAUTH00 is run on the user name the update indicates that the changes (new employee and new org unit) is linked.
The following updates run every night: RHPROFL0_DAILY_UPDATE and RHUATUPD_NEW. I have also run PFUD during the day to make sure all updates go through. We have also "played" with some profiles with PD profile changes but it is as if the profile remains completely static. We have looked for personnel lists and deleted them to no avail. Our Basis administrator has cleared the buffer for us and has run report RSUSR405 that did not do anything. We have searched through notes on Support packages and have just loaded and tested support pack 46 to 53. The only work around seems to be to delete the user and create a new user and then it seems to easily accept new changes.

Hi,
Yes, please make it scheduled background job. This is normal procedure.
Define periodicity on your business needs: some run it every night, some every hour.
Cheers

Issue with AP Auth List

Hi guys,
I'm havin problems joining an AP (3602I) to my controller (5508) when authorising MIC's against against my auth-list on the controller.
I have added the AP MAC address to the auth-list but the AP won't successfully join. The controller occasionally says "joined" and I can view it in the AP list, but the AP status is always UNKNOWN, whereby I will reset the AP and try again.
Any ideas?
Thanks.

show inv:
Burned-in MAC Address............................ E8:B7:48:A1:CD:A0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100
NAME: "Chassis"    , DESCR: "Cisco 5500 Series Wireless LAN Controller"
PID: AIR-CT5508-K9, VID: V01, SN: xxxxxxxxxx
AP sh ver:
AP78da.6e42.85ca#sh ver
Cisco IOS Software, C3600 Software (AP3G2-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 30-Jul-13 22:57 by prod_rel_team
ROM: Bootstrap program is C3600 boot loader
BOOTLDR: C3600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(23c)JY, RELEASE SOFTWARE (fc1)
AP78da.6e42.85ca uptime is 22 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP3602I-E-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
Processor board ID FCZ1749J1KS
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.5.102.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 78:DA:6E:42:85:CA
Part Number                          : 73-14521-02
PCA Assembly Number                  : 800-37501-02
PCA Revision Number                  : A0
PCB Serial Number                    : FOC17444F2D
Top Assembly Part Number             : 800-35852-02
Top Assembly Serial Number           : FCZ1749J1KS
Top Revision Number                  : C0
Product/Model Number                 : AIR-CAP3602I-E-K9
Configuration register is 0x
WLC software version: 7.5.102.0
FUS: 7.0.112.21
Thanks again Scott.

HR auths - P_PERNR

Similar Messages

Maybe you are looking for