Identity based firewall - how to ignor a username

I have set up an identity based firewall configuration.
This all seems to work quite well, some issues still arise however:
policies with usergroups containing spaces (i.e. "Domain Users") are not correctly handled;
it seems that a process / service account or whatever running on a workstation and firing a kerberos ticket request deletes the ip - user mapping that was recorded for the user logging in.
The group names can be handled, but it would be absolutely great to find a way to ignore certain usernames in the ip-user mappings. For instance "Administrator" or "epo_service_account"
Does anyone know how to arrange this?
Thanks,
Bas

Hi Frank,
Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
In future releases of JDeveloper will be easier to do this kind of things related to security?
Riveck

Similar Messages

  • Identity Based Firewall doesn't work using Citrix Published Desktop environment

    Hi!
    We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.
    The problem:
    When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
    What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.
    Questions:
    Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls?
    Anybody knows how AD Agent, Domain Controllers and Firewalls are working together?
    On the firewalls with "show user-identity ad-agent we see, the following:
    Authentication Port: udp/1645
    Accounting Port: udp/1646
    ASA Listening Port: udp/3799
    Why Cisco does use 1645 and 1646 and not 1812 and 1813?
    The Listening Port is used for what purpose?
    Remark: we tried the AD Agent modes full- download and on-demand with the same effect.
    Thanks for your replies
    Walter
    Sent from Cisco Technical Support iPad App

    There are no Firewalls between the AD-Agent and the DCs. We checked the names using nslookup. Everything ok. I asked our AD responsibles to doublecheck the firewall settings and the logs on the DCs and on the AD Agent. As soon i get an answer I will let you know.
    What I saw on the firewalls is, that just one (the first) DC is communicating with the firewalls. Is this normal?
    fw-1# show aaa-server protocol ldap
    Server Group: AD-ALL
    Server Protocol: ldap
    Server Address: 192.168.229.30
    Server port: 0
    Server status: ACTIVE, Last transaction at unknown
    Number of pending requests 0
    Average round trip time 0ms
    Number of authentication requests 114
    Number of authorization requests 0
    Number of accounting requests 0
    Number of retransmissions 0
    Number of accepts 114
    Number of rejects 0
    Number of challenges 0
    Number of malformed responses 0
    Number of bad authenticators 0
    Number of timeouts 0
    Number of unrecognized responses 0
    Server Group: AD-ALL
    Server Protocol: ldap
    Server Address: 192.168.229.31
    Server port: 0
    Server status: ACTIVE, Last transaction at unknown
    Number of pending requests 0
    Average round trip time 0ms
    Number of authentication requests 0
    Number of authorization requests 0
    Number of accounting requests 0
    Number of retransmissions 0
    Number of accepts 0
    Number of rejects 0
    Number of challenges 0
    Number of malformed responses 0
    Number of bad authenticators 0
    Number of timeouts 0
    Number of unrecognized responses 0
    Server Group: AD-ALL
    Server Protocol: ldap
    Server Address: 192.168.229.39
    Server port: 0
    Server status: ACTIVE, Last transaction at unknown
    Number of pending requests 0
    Average round trip time 0ms
    Number of authentication requests 0
    Number of authorization requests 0
    Number of accounting requests 0
    Number of retransmissions 0
    Number of accepts 0
    Number of rejects 0
    Number of challenges 0
    Number of malformed responses 0
    Number of bad authenticators 0
    Number of timeouts 0
    Number of unrecognized responses 0
    Server Group: AD-ALL
    Server Protocol: ldap
    Server Address: 192.168.229.40
    Server port: 0
    Server status: ACTIVE, Last transaction at unknown
    Number of pending requests 0
    Average round trip time 0ms
    Number of authentication requests 0
    Number of authorization requests 0
    Number of accounting requests 0
    Number of retransmissions 0
    Number of accepts 0
    Number of rejects 0
    Number of challenges 0
    Number of malformed responses 0
    Number of bad authenticators 0
    Number of timeouts 0
    Number of unrecognized responses 0
    Server Group: AD-ALL
    Server Protocol: ldap
    Server Address: 192.168.229.41
    Server port: 0
    Server status: ACTIVE, Last transaction at unknown
    Number of pending requests 0
    Average round trip time 0ms
    Number of authentication requests 0
    Number of authorization requests 0
    Number of accounting requests 0
    Number of retransmissions 0
    Number of accepts 0
    Number of rejects 0
    Number of challenges 0
    Number of malformed responses 0
    Number of bad authenticators 0
    Number of timeouts 0
    Number of unrecognized responses 0
    Server Group: AD-ALL
    Server Protocol: ldap
    Server Address: 192.168.229.42
    Server port: 0
    Server status: ACTIVE, Last transaction at unknown
    Number of pending requests 0
    Average round trip time 0ms
    Number of authentication requests 0
    Number of authorization requests 0
    Number of accounting requests 0
    Number of retransmissions 0
    Number of accepts 0
    Number of rejects 0
    Number of challenges 0
    Number of malformed responses 0
    Number of bad authenticators 0
    Number of timeouts 0
    Number of unrecognized responses 0
    fw-1# sho user-identity ad-agent
    Primary AD Agent:
    Status up
    Mode: on-demand
    IP address: 192.168.11.8
    Authentication port: udp/1645
    Accounting port: udp/1646
    ASA listening port: udp/3799
    Interface: Intranet
    Up time: 1 day 0 hours
    Average RTT: 0 msec
    AD Domain Status:
    Domain DOMAIN: up
    fw-1#
    Sent from Cisco Technical Support iPad App

  • How to ignore programmatically some items during a query ?

    Hi all,
    The process of my application is like this : first of all the end-user enters some criteria , then he/she presses a button to search for the possible results matching the criteria entered (execute_query). The possible results are displayed through a multirecord based datablock.
    The criteria screen has two parts , say part_a and part_b. When the end-user does not enter any criteria in part_b then the datasource of the results block should be a table , say data_source_1 ; and if some criteria are entered in part_b then the datasource of the results block should be a view , say data_source_2.
    The datasource data_source_1 has less number of columns than the datasource data_source_2 , but all of data_source_1's columns are included into data_source_2.
    So my problem is when the datasource of the results block is set to data_source_1 then there are unknown columns when executing the query (alert error). All of the columns of data_source_2 are included in the results block , and all of the columns of data_source_1 are automatically there because mathematically speaking data_source_1 is included into data_source_2.
    I have tried to use in the pre-query trigger of the results block this statement : set_item_property('results_possibles.column_a',queryable,property_false); but the same error still occurs.
    So how to ignore these items ?
    Thank you very much indeed.

    After looking at what you did to try to solve the problem, I'm not sure what the actual problem is.
    You can make both datasources have the same number of columns by selecting nulls:
    data_source_1: select a, b, c, null as d, null as e from <table>
    data_source_2: select a, b, c, d, e from <view>
    If you have a field which is used to query a column which is included in data_source_2 but not in data_source_1, and that field is populated when you run the query, then just set the block's default_where to ignore that field.
    eg
    data_source_1: where...and c like nvl(:control.c,'%')
    data_source_2: where...and c like nvl(:control.c,'%') and d like nvl(:control.d,'%')...

  • Standard (application-based) firewall with one additional port open?

    Lion and Snow Leopard both have application based firewalls.  I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java.  How can I open one port in addition to leaving the standard firewall in place?

    Hi
    The Zone based firewall uses "inspect" statements, that's just what it does.
    A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
    ip access-list standard INSIDE-NETWORK_ACL
     permit 192.168.1.0 255.255.255.0
    class-map type inspect INSIDE-NETWORK_CMAP
     match access-group name INSIDE-NETWORK_ACL
    class-map type inspect HTTPS_CMAP
     match protocol https
    policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
     class type inspect INSIDE-NETWORK_CMAP
      inspect
    policy-map type inspect OUTSIDE-TO-SELF
     class type inspect HTTPS_CMAP
      pass
    zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
     service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
    zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
     service-policy type inspect OUTSIDE-TO-SELF
    I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw

  • Difference between element and identity based version

    Can anybody tell me the difference between elment and identity based version of the Object with any example? which classes implement them?

    Hunky322 wrote:
    At first it struck me as odd, given how List, Set, and Map define equals, but the part the OP left off clears it up a bit: "..because element-based equality is not always well-defined for queues with the same elements but different ordering properties."This lineSo, you're saying you don't understand the following?
    >
    Queue implementations generally do not define element-based versions of the equals and hashCode methods but instead inherit the identity-based versions from Object because element-based equality is not always well-defined for queues with the same elements but different ordering properties.
    >
    Okay, here's the deal.
    For a List, equals() is true if both Lists contain the same objects and in the same order. That's pretty straightforward, and it makes sense.
    For a Set, equals() is true if both Sets contain the same objects. Order is not considered because Sets are not generally ordered. Again, this it straightforward.
    So, you might think that Queue might define equals in a similar fashion--either if both Queues contain all the same elements, or if they contain all the same elements in the same order. However, this doesn't really work very well. Since ordering is an important part of a Queue, the ordering should be considered for equality. However, unlike Lists, two different Queues containing the same objects might define ordering differently. One might be a FIFO and the other might be a PriorityQueue, so how do you compare those two queues for equality?
    There are no clear-cut rules for equality between two arbitrary Queues, so the Queue interface does not define an equals method that's related to the contents of the Queues.

  • Difference b/w Hardware & Software based firewall

    How can i differenciate the Hardware & Software based firewall?
    What are the key advantages of Hardware based firewall?
    what are the limitation of software based firewall?
    Regards,

    Hi Syed
    Software based firewalls are the firewalls which are provided by software for eg you install an antivirus program Mcafee the firewall which will be provided by Mcafee is software based firewall. Windows inbuilt firewall is another example of software based firewall.
    Hardware based firewall are those where we require a different hardware to perform packet check. For eg Cisco FWSM,PIX,Fortigate are all example of hardware based firewall.
    Limitation of Software based firewall:
    Software-based firewalls aren't the ultimate security tool, however. A personal firewall can't prevent viruses from entering your system through legitimate sources such as a web browser or through email. An anti-virus program with constantly updated virus signatures must always be included in an overall security strategy.
    Personal firewalls also can't protect an entire network unless the software-based firewall is installed on every computer. In medium and large-scale environments, software-based firewalls must be managed properly to ensure optimal security coverage.
    Regards,
    Anim Saxena
    Technical Community Manager - Network Security
    *Kindly rate helpful Posts*

  • How to ignore blank/null key figure value in BI Queries

    Reports on Multiprovider - we see some cells of a Key figure as blanks. These blanks are interpreted as zeros by the system and calculated accordingly resulting in incorrect values. As per our requirement, we need a count of all hard/real zeros only, not the blanks. For example, if there are 10 rows of which 6 are real zeros and 4 are blanks - our count should be 6 and not 10.
    How to ignore the blanks in BEx queries please?
    Thanks for your help.
    Upender

    Rakesh,
    It is not possible to find a pattern because the report is on a MultiProvider with 2 InfoProviders- Purchasing documents DSO and Material Movements InfoCube.
    Every Purchasing Document has several materials associated with it. These materials are compared with materials in Materials Movement. Not all materials in Purchasing Document are found in Materials Movement. For those Materials found in Materials Movement, the Quantity is obtained. For these found rows, the correct value is showing up - if the quantity is zero, it is showing in reports as zero. If the material is not found in Material Movements then Quantity shows up as blank values.
    My requirement is ignore such blank quantities and not count them. Only Quantities with 0 values should be counted. Currently both blanks and zero values are counted showing inflated count.
    Thanks,
    Upender

  • Hi, I recently changed my username for my iTunes/iCloud account. Can anyone tell me how i change the username on my iCloud iPad? When I go onto setting to change it it keeps the username grey so I can't even select it?

    Hi, I recently changed my username for my iTunes/iCloud account. Can anyone tell me how i change the username on my iCloud iPad? When I go onto setting to change it it keeps the username grey so I can't even select it?

    Welcome to the Apple Community.
    In order to change your Apple ID or password for your iCloud account on your iOS device, you need to delete the account from your iOS device first, then add it back using your updated details. (Settings > iCloud, scroll down and hit "Delete Account")
    Providing you are simply updating your existing details and not changing to another account, when you delete your account, all the data that is synced with iCloud will also be deleted from the device (but not from iCloud), but will be synced back to your device when you login again.
    In order to change your Apple ID or password for your iCloud account on your computer, you need to sign out of the account from your computer first, then sign back in using your updated details. (System Preferences > iCloud, click the sign out button)
    In order to change your Apple ID or password for your iTunes account on your iOS device, you need to sign out from your iOS device first, then sign back in using your updated details. (Settings > iTunes & App store, scroll down and tap your ID)
    If you are using iMessages or FaceTime, you will also need to log out and into your ID there too.

  • *** How to get the username in a custom password change routine....

    How to get the username in a custom password change routine / procedure / form when a user's password has expired and is redirected automatically to this custom program?
    We use the 2nd parameter in LOGIN_URL column in WWSSO_LS_CONFIGURATION_INFO$ table to get to this custom change-password proc.

    OK !
    Use that maybe good :
    select USERID into v_user from sys.aud$
      where ntimestamp#=(
      select max(ntimestamp#)
      from sys.aud$ );

  • How to ignore zero in select query

    select * from EINA where  EINAMATNR = <b>yyyy</b> and EINALIFNR = <b>zzzz</b>
    In select query, how to ignore zero? for example, EINAMATNR = 0000000yyyy, EINALIFNR=000zzz
    Maybe I can use LIKE keyword in sql query. Any other way?
    Thanks.

    Use the following conversion routines to convert yyyy & zzzz  to remove the leading zeros and then pass it to your select query.
    For Matnr -> CONVERSION_EXIT_MATN1_INPUT
    For LIFNR ->CONVERSION_EXIT_alpha_input.
       CALL FUNCTION 'CONVERSION_EXIT_ALPHA_INPUT'
            EXPORTING
              input  = yyyy
            IMPORTING
              output = t_lifnr.
          CALL FUNCTION 'CONVERSION_EXIT_MATN1_INPUT'
            EXPORTING
              input  = zzzz
            IMPORTING
              output = t_matnr.
    select * from EINA where EINA~MATNR = t_matnr  and EINA~LIFNR = t_lifnr .

  • How to ignore the material with error in costing run ck40n

    Hi
    Pls, advice how to ignore parent material form costing run if the components of that material have errors. I need to run the costing run excluding erroneous parent item. Is any configuration on this..
    Pls help..
    K

    Hi Kesharika Goona... 
    If you want to exclude any material from Costing Run, there are two ways...
    1. Go to Material Master, Costing1 view, take the check box "Do Not Cost". If you opt for this check box, the system will not consider this material for costing.
    2. Where you run the standard cost estimate in CK40N, once you save you costing run with the parameters like Costing Variant etc, When you select the "Parameters" agains the Flow step of "Selection", you will be asked to give the inputs like Material Number, Plant etc.
    There, against the Material Number, on the extrem right side, you will see a arrow, press that arrow, and there you can see a tab "Exclude Single Values". There you have to give the material number which you want to exclude from the costing run press "Execute" icon on the botoom-left corner of that pop-up window..
    If you still face problem, pls revert back
    Srikanth Munnaluri

  • How to get windows username printed on each page irrespective of application? we have cm6030f.

    How to get windows username printed on each page irrespective of application? we have HP CM6030F.

    Hi,
    Normally, you will receive a Windows Azure Pass from your local Windows Azure team. Please try to contact your local Windows Azure contact (http://support.microsoft.com/gp/customer-service-phone-numbers?wa=wsignin1.0
    Also, you could see this page
    http://www.windowsazurepass.com/AzureU/AcademicFAQ and apply the free trial azure via (http://www.windowsazurepass.com/AzureU/).
    Q: I am a student. Can I apply for a pass?                     
    A: Windows Azure Educator Grants are only for valid faculty. If your faculty has been awarded a Windows Azure Educator Grant, you will be able to get a pass through him/her for you coursework. If you are interested in learning more about Windows Azure,
    we encourage you to share these Educator Grants with your faculty or sign up for the FREE 3-month trial offer. 
    Regards,
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • How to Ignore Header Line in FCC " Sender Side" .

    Hi SDNrs,
    I am getting a File Data  after FCC with header Data.
    How to Ignore that Header Line coming with actual data...
    Like Employeeid , Name , Deptid
    So this Employeeid , Name , Deptid is also coming as Data.
    Or what approach Should be Used?
    Regards
    Prabhat Sharma.

    Hi,
    Use " Document Offset" parameter in Sender File CC.
    http://help.sap.com/saphelp_nw04/helpdata/en/2c/181077dd7d6b4ea6a8029b20bf7e55/content.htm
    Thnaks
    Amit

  • How to ignore a DML operation using error handler.

    In our streams replication application (using Oracle 10G), we have error handler to handle the errors at destination apply process. It uses straight apply process no DML handlers except error handlers. The error handler should just log the error and LCR info into the error log table and discard the DML LCR. Error logging is not a problem. But the problem is how to ignore the error DML LCR and move to next LCR in the same transaction without rollback of the transaction or any error.
    Another question, do I need to use LCR.EXECUTE() procedure to continue the transaction in case of errors?
    Appreciated your help.

    Thanks for reference, confirmation of use of execute function.
    I read those pages and other related pages in "Oracle® Streams Concepts and Administration" too.
    I am able to write an error handler to handle errors with regular apply process. It is logging "no data found" errors but failing in case of foreign key violations. Error handler takes any kind of error and logs a record into errorlog table and ignores the error. I think it is not calling error handler. I checked for handlers in dba_apply_dml_handlers table. There is a handler for Inert, update and delete. I am investigating it further now. If you have any leads, please post.
    Thanks for your time and help.
    Dharma

  • HT5439 i can't access my university anyway, how can i add username and password?

    i try to use this solution to apply my university proxy, but it dodn't work. Can u suggest me more about how can i add username and password?

    You should be able to use the OpenVPN Connect app running on your iPad to connect your iPad to the VPN directly. It is an official OpenVPN client for iOS devices.
    In what way is it "not compatible"? Have you tried it? Tunnelblick is an OpenVPN client, so your school's VPN is using the OpenVPN protocol. That means any OpenVPN client should be able to access it. (It is possible, but unlikely, that your school uses encryption that is not available on the iPad, but that would be very unusual.)
    Otherwise, a remote control app on your iPad would let you control your Mac at home. "Back to My Mac", for example, would allow you to control your Mac remotely. The tricky part of this is that usually a VPN is set up to send all Internet traffic via the VPN server, and I'm not sure how that would work with "Back to My Mac".

Maybe you are looking for

  • "Open Picture Window Fever" not working properly

    I've used "Open Picture Window Fever" successfully until recently. After adding the behavior, and viewing my page in a browser, the images do not open using "Fever." When I check the behavior specs to make sure the dimensions are there, "image name,

  • Runtime error in XML form

    Hi experts, I have created xml form in XML form builder. One of the DataSchema is to browse document from KM Content but i got and error when try to browse the document. The error is: Runtime Error An exception occured while processing the request. A

  • Import extremely slow from 9i to  10G

    I am preparing a 10.2.0.4 database for testing, (upgrading from 9i) because we are also moving to a new server, I am going to use the exp/imp method. I created a new database after installing and patching the software, then created the necessary tabl

  • Disable Page Thumbnail Default for Scans

    When scanning in Acrobat 9 (Create PDF From Scanner), page thumbnails are always displayed when the scanned document opens in Acrobat right after the scan. In Document Properties > Initial View > Navigation Tabs is set as Page Only, so this is not a

  • Raw settings to create 32bit TIFF LR4.2 PS6

    Should all settings be zeroed before creating the 32 bit TIFF file in Edit in>Merge to HDRPro. Does this include defringing, sharpening, noise reduction and all basic panel settings? Also the info I have been reading infers that only the the exposure