Hyperion encryption and password / account lockout mechanisms

Similar Messages

• Password Policy and user account lockout in OAM

  Hi folks,
  I'm new to OAM and have rather silly question: I created Password Policy where I've defined the Number of login tries allowed, Custom Account Lockout Redirect URL, etc. Now, how do I tie it to the authentication / authorization rules inside my Policy Domain which I'm using to protect a certain resource?
  Thank you
  Roman

  Hi Colin,
  I do have the validate_password plugins defined in the Authent scheme, here they are:
  credential_mapping      obMappingBase="xxxxxx"
  validate_password      obCredentialPassword="password"
  validate_password      obReadPasswdMode="LDAP"
  validate_password      obWritePasswdMode="LDAP"
  Yet, after the third unsuccessful login, nothing happens. I still don't get it how the password policy I've created kicks into the action? Should it be evaluated each time a user attempts an access? Is it getting engaged due to the validate password plugin names?
  I've also noticed that the only default step I have in the Authent scheme doesn't list the last two validate password plugins in it. Does it have to?
  Thanks Roman
  Edited by: roman_zilist on Dec 17, 2009 9:12 AM

• Hyperion, Oracle, and password expirations ???

  We're currently in the process of trying to change our password policy for some reporting databases we have that are only accessed by users (non-developers) for developing hyperion reports using the desktop client software. We've set up an Oracle warning message to be generated when the user's password is going to expire in 5 days. When logging in through the OCE, the user sees this message, but it never actually logs the user in... it shows the message, and then redisplays the login popup. I'd like for them to be able to login and then use their Connections Manager to change the database password, but it won't let them log in.
  Has anyone encountered this problem before and possibly know of a solution or workaround? I'm assuming the Hyperion client software is taking any return code other than 0 for login as a failure...

  If you need an encrypted connection to Essbase then you should use Smartview over https.
  1) The Excel-Addin connection is not encrypted -- you can definitely see member information with a packet trace and with some time could probably figure out how to decipher the numeric data. The password to connect with did seem to have some level of encryption -- Hyperion would need to answer anything further as this is not documented.
  2) The lockout mechanism depends on the user directory provider you chose. To my knowledge the native directory has not capabilities for user lockout. If you chose to use say Active Directory or another system then the those items are configured in that user directory and you would need to speak with the specific directory administration team regarding the lockout mechanisms.
  Regards,
  -John

• Cant restore the backup, got encrypted and password, but

  since i encrypted the backup, itunes ask to enter the password before restore.
  then i enter the right password, iphone screen show me it's in restoring.
  But after just a few minutes, iphone auto restart itself, and go into normal standby screen. But the itunes still show me a loading window, from this window, i can know the restore process haven't start yet.because the loading bar is still waving and don't have a percentage bar. And in the iphone nothing have been restored. only the new backup was set in encrypted.
  plz help me
  Message was edited by: cymdia

  I am having the same issue. I can't turn off encryption, and no password that I try works at all! How do we recover the password or turn encryption off without it???

• Can I change my email address and password on itunes but still open it with the old email and password since my husband has and uses the other email account?

  Purchased iphone years ago using our only email address and recently this year my husband finally decided to get the iphone 4 using our email with no intentions on syncing it to computer.  In July I purchased the iphone4 and just recently installed the upgrade ios5 and since then decided to get my own email address but all my devices and itunes account is under our email address and not my new address.  Now he decides to upgrade his phone to ios5 and now we get each others new apps, music and if we get texted though imessage. I assume this is because we have the same email and password account.
  How can i change the itune account to my new e-mail address, but my husband keep the same itunes login all on one itune account? or is this possible?

  If you change the primary email, you must use that one to login in with, as the primary email IS your AppleID.
  If you go to https://appleid.apple.com you can login and change your information for your AppleID account, but you will  see that the AppleID = primary email address.  So, no, there is no way to change that, and still have your husband log in with the old AppleID/email.
  Your husband can still use your AppleID after you change the email addres, just using that new email and password (ie. you can both still use the same AppleID, but it now will defacto be your new email address).
  Or, if it is just a means to avoid the collisions of iMessage texts, just have your husband create his own AppleID just for use with iMessage.  You can still both use your AppleID for the iTunes and App stores, but in the iMessage settings, he can use his own AppleID instead of yours.
  In short - you can each have multiple AppleIDs, and you do not have to use the same AppleID for both purchases, syncing and so forth AND iMessage - iMessage settings can use a different AppleID from the other things.

• Can I use user names and password of Microsoft Office Outlook for hyperion

  I'm new to Hyperion. Can anyone tell that can I use "user names" and "passwords" of Microsoft Office Outlook for login into hyperion applications.
  I'm not talking about single sign on, but want to use same user names and passwords as that in Outlook.
  ANy suggestions?

  That depends on how your Outlook authentication is configured.
  Hyperion is generally configured to authenticate against a network directory (NTLM, MSAD or LDAP). I'm not an Outlook expert, but my Outlook user ID and password is almost always my MSAD id and password (I change clients regularly, and it's almost always the same situation). So it's also usually the same as my Hyperion ID and password.
  Ask your Outlook administrator whether it uses (or syncs with) MSAD, NTLM or LDAP. If the answer is yes, then you're in good shape because Hyperion can use these as well.
  Hope this helps,
  - Jake

• Random Account Lockout (How to trace source?)

  In Windows 2003 server native domain environment: XP Pro machines have no issues, but all ~10 PCs that have Win7 Pro (in different offices) have their domain accounts locked out randomly throughout the day. Workstations have no passwords listed in credentials
  management.
  Suspect it is something on the workstations that is sending incorrect logon and triggering the invalid password lockout limit on domain policy. Found MSFT tools to trace in XP, but nothing for Win7. Does anyone know how to use Procmon or similiar tool to
  trace such source on the workstations? Thank you.
  (Procmon.exe from systernals)

  Hi,
  The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
  We can run the LockoutStatus.exe on domain controller to identify and investigate the account lockout issue.
  Troubleshooting tools:
  By using this tool, we can gather and displays information about the specified user account including the domain admin's account
  from all the domain controllers in the domain. In addition, the tool displays the user's badPwdCount value on each domain controller. The domain controllers that have a badPwdCount value that reflects the bad password threshold setting for the domain are the
  domain controllers that are involved in the lockout. These domain controllers always include the PDC emulator operations master.
  You may download the tool from the link
  Download Account Lockout Status (LockoutStatus.exe)
  http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
  Once we confirm the problematic computer, we can perform further research to locate the root cause. Actually, there are many possible
  causes for bad password, such as cached password, schedule task, mapped drives, services, etc. Please remove the previous password cache which may be used by some applications and therefore cause the account lockout problem.
  Troubleshooting steps:
  1. Click Start, click Run, type "control userpasswords2" (without the quotation marks), and then click OK.
  2. Click the Advanced tab.
  3. Click the "Manage Password" button.
  4. Check to see if these domain account's passwords are cached. If so, remove them.
  5. Check if the problem has been resolved now.
  If there is any application or service is running as the problematic user account, please disable it and then check whether the problem
  occurs.
  For your convenience, I'd like to list the common troubleshooting steps and resolutions for account lockouts as the following:
  Common Causes for Account Lockouts
  To avoid false lockouts, please check each computer on which a lockout occurred for the following behaviors:
  Programs:
  Many programs cache credentials or keep active threads that retain the credentials after a user changes their password.
  Service accounts:
  Service account passwords are cached by the service control manager on member computers that use the account as well as domain controllers.
  If you reset the password for a service account and you do not reset the password in the service control manager, account lockouts for the service account occur. This is because the computers that use this account typically retry logon authentication by using
  the previous password. To determine whether this is occurring, look for a pattern in the Netlogon log files and in the event log files on member computers. You can then configure the service control manager to use the new password and avoid future account
  lockouts.
  Bad Password Threshold is set too low:
  This is one of the most common misconfiguration issues. Many companies set the Bad Password Threshold registry value to a value lower
  than the default value of 10. If you set this value too low, false lockouts occur when programs automatically retry passwords that are not valid. Microsoft recommends that you leave this value at its default value of 10. For more information, see "Choosing
  Account Lockout Settings for Your Deployment" in this document.
  User logging on to multiple computers:
  A user may log onto multiple computers at one time. Programs that are running on those computers may access network resources with
  the user credentials of that user who is currently logged on. If the user changes their password on one of the computers, programs that are running on the other computers may continue to use the original password. Because those programs authenticate when they
  request access to network resources, the old password continues to be used and the users account becomes locked out. To ensure that this behavior does not occur, users should log off of all computers, change the password from a single location, and then log
  off and back on.
  Stored user names and passwords retain redundant credentials:
  If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant
  because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. For more information about Stored User Names and Passwords, see online help in Windows XP and the
  Windows Server 2003 family.
  Scheduled tasks:
  Scheduled processes may be configured to using credentials that have expired.
  Persistent drive mappings:
  Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when
  they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails
  when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, please type net use /persistent:no. Alternately,
  to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive.
  Active Directory replication:
  User properties must replicate between domain controllers to ensure that account lockout information is processed properly. You should
  verify that proper Active Directory replication is occurring.
  Disconnected Terminal Server sessions:
  Disconnected Terminal Server sessions may be running a process that accesses network resources with outdated authentication information.
  A disconnected session can have the same effect as a user with multiple interactive logons and cause account lockout by using the outdated credentials. The only difference between a disconnected session and a user who is logged onto multiple computers is that
  the source of the lockout comes from a single computer that is running Terminal Services.
  Service accounts:
  By default, most computer services are configured to start in the security context of the Local System account. However, you can
  manually configure a service to use a specific user account and password. If you configure a service to start with a specific user account and that accounts password is changed, the service logon property must be updated with the new password or that service
  may lock out the account.
  Internet Information Services:
  By default, IIS uses a token-caching mechanism that locally caches user account authentication information. If lockouts are limited to users who try to gain access
  to Exchange mailboxes through Outlook Web Access and IIS, you can resolve the lockout by resetting the IIS token cache. For more information, see "Mailbox Access via OWA Depends on IIS Token Cache" in the
  Microsoft Knowledge Base.
  MSN Messenger and Microsoft Outlook:
  If a user changes their domain password through Microsoft Outlook and the computer is running MSN Messenger, the client may become locked out. To resolve this behavior,
  see "MSN Messenger May Cause Domain Account Lockout After a Password Change" in the
  Microsoft Knowledge Base.
  For more information, please refer to the following link:
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155.aspx
  Account Passwords and Policies in Windows Server 2003
  http://technet.microsoft.com/en-us/library/cc783860.aspx
  Hope this helps!
  Novak

• Preview - PDF - Encrypt - Add password

  I am trying to be a loyal Mac user and rely on Preview for management of my secure PDF files.
  (I have used Adobe Acrobat Professional -AAP- for several years; I am trying to avoid installing it on my clean SL installation.)
  1.) How do I use Preview to open a PDF file created, encrypted, and password protected in AAP? (I get an error: The file “Secure.pdf” could not be opened. It may be damaged or use a file format that Preview doesn’t recognize."
  2.) Can someone give me simple step by step instructions to add Automator functions to Preview to allow me to encrypt and password protect individual files on a file by file basis?
  All of this is very simple in AAP. Seems unnecessarily difficult in SL...
  Help?

  Well, Dr. Midnight,
  There IS an answer. The "Password Protect PDF" file is a function in Automator that comes up as a Service in Preview.
  For me the problem is that Automator is not very intuitive and I am too old and too lazy to learn a new programming language just to replace/repair functionality that I had with Acrobat Professional in Leopard that got broken in Snow Leopard.
  Ok, - in truth - not broken, but moved and changed and made less easy to use. Preview becomes the default PDF handler in Snow Leopard. I though - ok - if Preview will do what Acrobat Professional used to do for me, I'll be a good little loyal Apple user and move from Acrobat Professional to Preview (and stop paying for Acrobat upgrades).
  Then I figured out it is a PITA to learn Automator and I learned that no one on this forum seems to know (or be willing to share) simple steps to enable one Automator Service.
  So I reinstalled Acrobat since I already own two licenses and since it does what I want simply and intuitively.
  By the way, thanks for checking in. Nice to know I am not all alone out here ....

• ACS 5.3 and Windows AD account lockout

  Currently on 5.3.0.40.2 when a invalid password is attempted via TACACS or RADIUS to the AD identity store is locks the account out on the first failed attempt. The AD policy is lockout after three attempts. Is there a way to fix this issue so the account is not locked out with only one failed attempt? I see options for local password policys in ACS but nothing for the identity store. For what its worth this happened also with ACS 4.X deployment before we moved to ACS 5.3.
  Just wanted to see if this is the expected behavior or if I should open a TAC case to see what is causing this.
  Thanks.

  Hi;
  Well, we got it working. Not sure of the exact fix, but allow me to ramble, perhaps it will help someone else.
  We think that a combinationof factors caused the problem. First, we had clock drift, and that resulted in clock skew messages in the logs like these:
  Sep 20 18:06:03 ecb-acs1 adclient[8322]: INFO  base.adagent start: Problem connecting to domain controller (KDC refused skey: Clock skew too great), will try again later.
  and
  ecb-acs1 adclient[1163]: WARN  base.bind.cache LDAP fetch CN=bubba,OU=staff,OU=edcenter,OU=edcenterarea,OU=episd,DC=episd,DC=org threw unexpected exception: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Clock skew too great"
  Somehow the ACS lost the ntp config, very disturbing, because I know that one of the first things I did was setup NTP. So I re-did the ntp config, confirmed the time was accurate. Still failed. Then, because I was annoyed by the log entries comning out in UTC, I did a clock timezone to set it to local. That made the logs come out in local time, but might have caused other problems (I saw another forum entry for that) so I set it back to UTC.
  This begs the question - how to leave the timezone at UTC but fix the timestamps for the logs? This is easy on Cisco switches.
  Various reboots of the ACS after deleting the object in AD did not fix the problem. During these reboots I continued to use the original userid and password to authenticate. At all times, the "test connection" button showed that the credentials were OK.
  Because we had recently added our first Win2008 domain controller to our world (all ther other DCs are Win2k3), we started worrying about this:
  http://support.microsoft.com/kb/978055/en-us
  But, after some checking, it seems as if we already had the fix applied.
  Next, we created a dedicated user in AD for the ACS to use when authenticating. Deleted the ACS object, restarted the ACS, applied those new credentials. Still broken.
  Our AD admin looked in various logs and found some things, here is his summary:
  ----------- from Danny --------
  Checked the domain controller log under system.  Found the following:
  While processing an AS request for target service krbtgt, the account ecb-acs1$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 17. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of ecb-acs1$ will generate a proper key.
  and
  While processing an AS request for target service krbtgt, the account stcrye did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes : 18. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of stcrye will generate a proper key.
  This may be related to either clock scew between acs and the domain or introducing server 2008 domain controllers into an existing server 2003 domain. 
  On a desperate hunch, after yet again deleting the ACS object in AD and reloading the ACS, I used the new dedicated ACS user account, but gave it a wrong password. Hit save, watched it fail. Then I put in the correct password, hit save, and it worked! Finall we have re-joined and are connected to the domain.
  BUT ... I have now lost all confidence in ACS 5.3 . We are in the middle of a major rollout of WiFi clients using 802.1x authentitcation, replacing our previous pre-shared WPA setup. We are talking > 20,000 WiFi clients. If ACS <--> AD is not rock-solid, I need to try something else. Should we consider using LDAPS instead?
  Steve

• Account Lockout issue between Apple devices and Exchange 2003

  I have been having an ongoing issue for a couple of months with a few different users Apple devices locking out their accounts in AD when they try to authenticate to ActiveSync.  This doesn't happen every time they authenticate, it seems to be random,
  while the rest of the time they have access to their email.  It might occasionally happen with an Android, but not on a repetitive basis like this.
  Primarily this has been four different iPads, running different versions of iOS, and an iPhone running the latest release of iOS 7.  Other iPhones and iPads function without having the problem, including iPhones on iOS 7.  
  The user accounts in question are set to never have their passwords expire, but again, they aren't the only users that are set like this, and those other users, even with Apple devices are not having the same problem.
  I used NetWrix to trace out the source machine, which is my Exchange 2003 server and times, and I've checked the W3SVC1 log file, and come up with the following as an example with identification details masked:
  <internal IP>, <Domain\Username>, 4/30/2014, 8:10:04, W3SVC1, <ServerName>, <internal IP>, 15, 329, 3367926, 200, 0, GET, /exchange-oma/<[email protected]>/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplV50462*****/eb53cd5d5b9fcf40****************-20ef44,
  As I was typing this, the owner of the iPad from the log file above came by my desk, so I asked a couple more questions.  He's never had another iPad, it's a gen 1, and he's never updated the iOS on it.  I know one of the other iPads in question
  has the most up to date iOS, and the other one is brand new, replacing one that was broken, but the owner of that one had the same issue on a 3 year old iOS.  
  There is nothing special about the user accounts, no special privileges or restrictions.
  Has anyone encountered this before?  Exchange 2003, Server 2003 in a 2008 domain.  Promotion to the 2008 domain was 2 years ago.

  Hi Brian,
  I am so sorry for the delay.
  Do you have any progress by now?
  Since there are lots of devices which use user accounts to log on, failed logon attempts on these devices could be the cause for account lockout.
  If this issue persists, I suggest you refer to these troubleshooting articles below:
  Troubleshooting account lockout the PSS way
  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155(v=WS.10).aspx
  In addition, you can also get efficient support at Active Sync forum below:
  http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrmobilitylegacy
  Best Regards,
  Amy

• Asking for iCloud account name and password to play iTunes radio when I have done it in the past many times without this question.  Will not accept my apple id and password.  Will not save my changed password.  Where do I start?

  I have a MAC with OS X Yosemite, version 10.10.2, 8GB, 2.7 GHz, intel core i5.  Until 2 days ago, I could click on iTunes radio, pick my station and listen.  Then 2 days ago, I do this and system asks for my iCloud account id and password.  Does not recognize apple id or password.  I change the password, does not save it.   Screen that lists 2 step verification asks for added security questions, I do those and still will not allow me access.  What do I do and where do I start?  I thought I should download the update to OS X.  I did that, still no change.  Please help direct me to where I need to go to fix this problem.
  Yogiowl

  Restoring an iPad from an iTunes-generated backup should not require an Apple ID password.
  Did you encrypt the iPad backup? If so, then trying to restore will require entering the encryption password.

• Re:  Invalid username and password when logging onto Hyperion workspace

  Hi,
  I have installed Hyperion Reporting and Analysis services.When I attempt to log on to Workspace, I get the following message;
  'You must supply a valid User Name and Password to log onto the system."
  I have tried using the admin and password as username and password.I am able to login to Essbase Administration Services and User Management Console using this account.I have provisioned the user to Hyperion System 9 BI+ .
  Thanks in advance.
  -Sowmya

  I was told that Dsun.net.inetaddr.ttl=0" is required to be passed to the web application server (JVM) that starts Hyperion Shared Services and all System 9 products that depend on Hyperion Shared Services
  Is this correct? I see these errors in the log when I try to log into Workspace in the morning:
  2010-03-24 08:26:03,509 [[ORB=_it_orb_id_1,Pool=1]::id-12] WARN com.hyperion.css.spi.impl.ldap.LDAPProvider.authenticate(Unknown Source) - javax.naming.ServiceUnavailableException: ldaps.lirr.org:636; socket closed; remaining name ''

• Strange username and password in Mozilla saved passwords for chrome://weave (Mozilla Services Encryption Passphrase)

  What is chrome://weave (Mozilla Services Encryption Passphrase) ?
  I checked my saved password list in Mozilla Firefox and I found two strange usernames for site: chrome://weave (Mozilla Services Encryption Passphrase) and chrome:weave (Mozilla Services Password). Is this username randomly generated or is it possible that some addin/application/malware automatically generates this username and password.
  The username for both is "gjqsnhtjmmojlnmtepcdbiccdfrrerid"
  Password for chrome:weave (Mozilla Services Password) is a password I use commonly so seems to be provided by me but the password for : chrome://weave (Mozilla Services Encryption Passphrase) is a combination of random letters(just like the username)
  My issue is only that it should not be the work of any malicious content lying in my system which has reached my Mozilla Saved Passwords

  chrome://weave (Mozilla Services Encryption Passphrase is the sync key that is used to locally encrypt your data before sending it to the Sync server.<br />
  That key is automatically generated and changing the sync key will wipe all data stored on the sync server.<br />
  It is good practice to have a backup copy of the sync key.<br />
  The user name stored in the password manager is also generated, but you can always use the email address to get access to your sync account.

• Is it possible to create a standard form that can be emailed to anyone and once filled out by the receiver, have a button that the receiver clicks and the form is encrypted and attached an email back to the sender and a preset admin password would open it

  Is it possible to create a standard form that can be emailed to anyone and once filled out by the receiver, have a button that the receiver clicks and the form is encrypted and attached to an email back to the sender and a preset admin password would open it?

  Hello Graphicsguy123,
  You would need to first create the form ( or Widget in EchoSign) first to generate a url which you can paste it in the email being sent to customers. You would need to make sure you have a Document Cloud Enterprise Premium account in order to create a Widget. If you don't have the account, you can use the trial version to test it. Here is the link:
  Global Trial Registration | eSign services from Adobe
  -Rijul

• How to encrypt username and password before transmit on client side

  I want to encrypt the username and password at client side when user login to my page first and then send to server.
  Could anybody tell me how to do it?
  Thanks a lot.

  Yup , What suggested is true...
  The HTTPs authentication type is mainly for encrypting..
  This is an extract from the book i have which states how you can do that...
  UNDERSTANDING AUTHENTICATION MECHANISMS
  HTTPS Client authentication :
  HTTPS is HTTP over SSL (Secure Socket Layer). SSL is a protocol developed by
  Netscape to ensure the privacy of sensitive data transmitted over the Internet. In this
  mechanism, authentication is performed when the SSL connection is established
  between the browser and the server. All the data is transmitted in the encrypted form
  using public-key cryptography, which is handled by the browser and the servlet container
  in a manner that is transparent to the servlet developers. The exam doesn�t
  require you to know the details of this mechanism.
  Advantages
  The advantages of HTTPS Client authentication are
  � It is the most secure of the four types.
  � All the commonly used browsers support it.
  1 Actually, instead of the password, an MD5 digest of the password is sent. Please refer to RFC 1321 for
  more information.
  Disadvantages
  The disadvantages of HTTPS Client authentication are
  � It requires a certificate from a certification authority, such as VeriSign.
  � It is costly to implement and maintain.