Implementing SSL during user log in

Similar Messages

• ACE - keep user on SSL only if logged in

  Hi everyone
  We have a complicated scenario which we need to achieve using the ACE4710. This is what we want to achieve:
  1) User browses to site http://www.site.com.
  2) User logs in and login is posted to secure path https://www.site.com/myaccount.
  3) Once the user is logged in, all subsequent requests to http://www.site.com/* need to be redirected to https://www.site.com/*. In other words, once the user has accessed /myaccount within the session, all further requests must be SSL, no matter which page on the site they are on.
  Is this possible with the ACE?
  Thanks

  ACE has no knowledge about what happened in a previous connection.
  All you can do is inspect the header of the new http request and identify some information which could identify if the user is logged in or not.
  For example, if the server sets a particular cookie when the client is logged in, you can check the presence of this cookie to determine if the client is connected and send the redirect to https.
  BUT, since the client will potentially keep the same cookie, even if he logs out, then ace will continue redirecting the client to https.
  Only the server has the complete knowledge of the client state.
  So the redirect should come from the server.
  Gilles.

• Number of users logged in during cube refresh activity

  I am using Hyperion 11.1.2.1 and running  Planning cube refresh activity using \Hyperion\Planning\bin\CubeRefresh.cmd.
  Is there any way to find out total number of users logged in into a particular Planning Application during Cube refresh activity running for that application ?

  I don't think Planning repository has information about sessions.
  Let us know if you succeed.
  I was not talking about Essbase as in "Essbase", all users that are performing an activity in Planning (data refresh, data load, run business rule) will show up in EAS sessions so if you run the maxl display session against Planning application it'll give you all users.
  Now OP, you can perform a search for "line count windows cmd" will give you ideas on how to count the lines and that count is going to be the numbers of users (well it is not the number of users, but number of sessions)
  ORA-00001: Unique constraint violated: Count lines in multiple files using Windows command prompt
  Regards
  Celvin

• Transformation of Data During User Reconciliation

  Hi all,
  I'd want transform data during user reconciliation from a trusted source SAP HR.
  In my case I have to transform the userid coming from SAP to generated a custom OIM User Login attribute.
  As described in the "Connector Guide for SAP Employee Reconciliation", I wrote a java class that implements the Transformation interface,
  the method "transform" has the code to generate the userid; then I created a jar, unploaded it, and finally I changed the following lookup definitions as described in the doc guide:
  - Lookup.SAP.HRMS.Configuration
  COD KEY = Use Transformation For Recon
  DECODE = YES
  - Lookup.SAP.HRMS.ReconTransformation
  COD KEY = User ID
  DECODE KEY = com.mycompany.custom.ReconUserLoginGenerator
  When the reconciliation process ends the OIM user login is created but it isn't trasformed; in the log I did't see any excpetion of my class and it seems that no trigger has been triggered for the class.
  Someone has suggestion about the Transformation data during user recon? I forgot something in order to transform data?
  Thanks a lot,
  Ettore

  Hi Martin,
  I uploaded the jar using the "Upload" utility as described in the doc, (the version of OIM system is 11g).
  Ettore

• Exchange Online users logging into OWA On Premises.

  Greetings!
  We are implementing hybrid Exchange Online with Exchange 2013, and we face the following situation:
  When an Exchange Online user tries to access through OWA on-premises, a page appears with a link to the Exchange Online OWA.
  Is it supposed to be this way?
  Why the redirection is not automatic?
  Seems so obvious that the redirect should be automatic that if it is to be this way (the user having to click the link), there must be some technical justification. Can anyone refer me some article about it? For to convince the top brass of the company here
  that it has to be like that!
  Thanks in advance !!!
  Fabio Martins MCDST/MCSA Brasil!!!

  Hi
  As per the information and details provided by you, to solve the problem of Exchange online users logging into OWA on Premises, please follow these steps: -
  The user will be able to use the
  OWA URL points to the on-premises Exchange 2013 server. On the redirection page, you can choose to
  save the new URL to his browser favorites and click on the URL.
  When clicking on the URL, the user will be taken through the authentication process. For OWA, that means that you can try to access his mailbox in Exchange Online &
  Exchange online will redirect the user to “login.microsogtonline.com”, where
  you can enter UPN.
  Once the UPN is entered and you switches to the password field, Office 365 will detect that the UPN domain is federation with an Office 365 tenant. This result in a redirect
  to the on-premises federation endpoint (in this case sts.clouduser.dk) and depending on whether the user is domain joined and domain-connected or uses an external client, you will get
  single sign-on (SSO) or be required to enter your UPN and password.
  Because of the organizational relationship that was set up between Exchange Online and Exchange on-premises during the Exchange hybrid configuration lookups when booking
  meetings, mail tips, etc. also work as expected from Exchange Online to Exchange on-premises and vice versa.
  I hope this information will be helpful for you.
  Thanks and regards
  Shweta@G 

• How to get user 'logged in' to ironport web filter without launching IE

  We have an issue with some employees who use third party programs that traverse the Internet.  These programs are 100% allowed by the organization as they are required for day to day business.  Some programs go over the Internet to communicate for certain reasons, such as a live chat help support, or ordering products, etc..
  The problem is that some of these users log in and never even touch Internet Explorer for awhile.  They will go on and start working right away.  Well if they don't try to access an Internet site via IE, then the Ironport does not 'log them in', and they are known as unauthenticated.  Of course this doesn't happen with everyone.  There's nothing wrong with people coming in a little early and checking the local news online.
  We were thinking up if it's possible to have each user 'touch' the ironport web filter in some way during a logon script, unbeknown to the end user, so that they are 'signed in' and whatever Internet connected application they launch has access through to the Internet.  Right now they need to at least launch IE and go to some site (say Google or MSN) and via NTLM credentials transparently passed through IE7, 8 or 9, they can simply close the page and go about their business.  Note: they MUST go to an external site.... not an internally hosted one (such as our Intranet, time clock or HR self service pages).
  So is there any commands we can put in via kix or bat or something that will say "Hey Ironport, %username% just logged in at 10.x.x.x".  Then maybe to make it more advanced, a logoff script that says "Hey Ironport, %username% just logged OFF of 10.x.x.x".  This way when our hourly timeout happens, they aren't immediately booted from their Internet applications (if they don't keep an IE window open that is).
  Right now our ASA Firewall uses WCCP to forward port 80 to the ironport web filter.  The Ironport is a transparent proxy.
  Thanks!

  So it looks like you are moving the authentication from the Ironport S160 to the ASA5500 series firewall?
  I guess we are looking at something simpler, like a way to 'touch' the internet and pass NTLM credentials, because then the Ironport knows who the user is.
  If the user does not 'touch' the internet with IE, and say they use some other program that does not pass NTLM credentials (say Firefox or live chat program, or an ftp program, etc...) They are likely to be blocked, because the Ironport doesn't know who they are.
  Your link seems to lead to a complicated setup for something that seems so simple.  I'm not sure how that relates to an Ironport S160.. it seems to focus on the ASA5500. Also we want it to be completely 100% transparent to the end user.
  This is how it worked with a Barracuda web filter appliance...
  A DCAgent program sat on each domain controller. As users logged in or out of the domain, this agent passed this current activity to the Barracuda web filter appliance.
  The Barracuda appliance knew exactly who was logged in because of this little program on the domain controller(s) that kept it updated. Based on this, policies could be assigned based on Active Directory group memberships. ie) HR and Marketing can access Facebook, while others cannot.
  I guess I'm looking for similar functionality with the Ironport S160. If there's any way the domain controller, or even the client PC can say "Hey Ironport, %username% is logged on here at %ip_address%". That way the Ironport would know who they are, and there would be no unnecessary authentication boxes (besides the user logging into the windows domain). They could use internet connected apps that do not pass NTLM authentication. I guess the client PC or the domain controller would also have to tell the IronPort when they signed off, just so we don't have to deal with authentication timeouts. This way, say they are in our internet chat help program... after an hour, it will cut out and disconnect them - because the IronPort forgets who they are (unless they are actively using the internet with IE).
  So for now, we just use the bypass option for the affected internet services.  The default browser is IE, so the reality is that we are not suffering any tremendous inconvienence.  It's just that we want to ensure we have the best robust solution, and we can handle these types of situations with programs other than IE accessing internet resources.

• How to find the user logged on to machines in last 2 weeks,

  Hi All,
  I am running SCCM 2012 R2. I need your expert advice in a SQL query/sccm report.
  I have a list of about 1000 users. I need to find out the all the machines names that these user logged on to in last 2 weeks
  Hope you can help.
  Thanks
  Manish

  Hello,
  First, I don't this could be done with SCCM.
  If you have SCOM implement, it may help in this case. SCOM forum:
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/home?category=systemcenteroperationsmanager
  In addition, logon information could be found in event log of DC. Audit the log with script could be another workaround.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How to backup files from other user logged in as administrator

  RE: How to backup files from other user logged in as administrator AND/OR how to repair drive with "Invalid catalog PEOF"
  Hello,
  My MacBook Pro computer’s hard drive is not booting.
  I booted with the base operating system and ran Disk utilities and I got the following messages:
      Invalid catalog PEOF
      The volume could not be verified completely.
      This disk needs to be repaired.
      Disk utility can’t repair this disk. Backup as many files as possible, reformat the disk,
      and restore your backed-up files.
  The problem is that I have a couple of USERS set up on this computer, and it won’t let me backup the files of the second user.  The folders are locked and I can’t access them, even though I am logged in as the administrator.
  I made a boot disk on my other computer ( a MacPro Early 2008 ) desktop computer with the DiskWarrior 4.4 updater,
  but it won’t boot on my MacBook Pro.
  How can I backup these user files so that I can copy them back once I fix the drive?
  or better yet,  How can I repair the Invalid catalog PEOF on this drive?
  Thank you in advance for your time! 
  Bill
  THIS IS THE COMPUTER
  ================
  17” MacBook Pro 2.8GHZ 4GB Ram (purchased in 2009).
  Model: A1297
  Running Mac OSX 10.9.5

  Try using Disk Utility/Restore to copy the backup to a new location. Please note that this will reformat the destination partition which will erase all data.
  Do a backup. Boot to the Recovery Volume (command - R on a restart or hold down the option/alt key during a restart and select Recovery Volume). Run Disk Utility Verify/Repair and Repair Permissions until you get no errors.  Reformat the drive using Disk Utility/Erase Mac OS Extended (Journaled), then click the Option button and select GUID. Then re-install the OS.
  OS X Recovery
  OS X Recovery (2)
  When you reboot, use Setup Assistant to restore your data.

• Fits attribute on user id during user creation (Cont)

  Hi Experts,
  A little time ago , we posted some doubt regarding of how can we fits the attribute userID during user creation on User Interface.
  The previous discussion was posted here:
  "Fits attribute on user id during user creation"
  Link abou our issue "scn.sap.com/thread/3532549"
  As the Correct Answer:
  Alternative 2, add a To IdentityStore pass as part of the task workflow where your logic is implemented in a jscript:
  MSKEYVALUE=%MSKEYVALUE%
  ****AD_USER_ID=$FUNCTION.GENADUSERID(%MX_FIRSTNAME%!!%MX_LASTNAME%)$$
  The script is running very well, but when we create a new employee on HR System (No SAP) this this script is not running just for this new user but for all other users already exitents on IDM. The script increase in Mass an not just for new user.
  Does anyone know if this can be related with delta configuration, or this kind of validation ( create just for new employe placed on HR) needs to be done inside the script?
  THank you very much.
  Miguel

  Hello Miguel,
  is the "Create Identity"-task called by the HR-update-job?
  The screenshot in the old thread just shows the three inputs. I guess, there are some more in the used task. Did you check, if the other lines have the dot as a prefix, so that these attributes are only filled (and therefor the script only runs), when the entry is created, but not updated?
  If yes and it's missing for those two attributes, just add it.
  Regards,
  Steffi.

• How to retrieve users logging-in and logging-out date and times in SharePoint

  At the moment I am using SherePoint 2013 with a few tenants.
  I am going to have access to the users logging-in and logging-out dates and times.
  For instance, I would like to know the detail of the dates and times which a particular user of a tenant has logged-in and logged-out during the past few months.
  Any idea?

  You can retrieve that info from the IIS log files. Maybe you can use a free IIS reporting tool that I've built and adjust it to your own needs, you can get it here:
  http://gallery.technet.microsoft.com/office/The-SharePoint-Flavored-5b03f323
  Btw, in a web environment usually there is no such thing as the log-out date and time because the end user just stops making requests. So, you've got to take a look at the last request and by default, after 20 minutes the session times out and you can assume
  the session has ended.
  Kind regards,
  Margriet Bruggeman
  Lois & Clark IT Services
  web site: http://www.loisandclark.eu
  blog: http://www.sharepointdragons.com

• Implementing SSL

  Hi,
  Normally we implement SSL in case of B2B communication. If I am not wrong in this case we need to key storage services. One in XI and the other in the target business system. Please correct me if I am wrong.
  thanks
  kumar

  Hi ,
  SSL is required in B2B integration .You can install the J2EE keystore  and specify the details in adapter (for more info on j2ee keystore go to help.sap.com). If you are doign user authetication they you need specify the user name and pwd in your receiver communication channel  and that receiver business system should have that user with required previlages . Also  the Business system identifies each other using DUNS number , a  unquire identification number for each business partner . These DUNS  number you will have to specify in your configurration.
  useful links ,
  General guide
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
  Message level security
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Thanks ,
  Suvarna
  award pts if it helps .
  null

• Error when setting GPO Display information about previous logon during user logon on Wins 7

  We recently try to deploy a GPO on our network (All Server 2008 and Windows 7) to show previous logons during
  user logon. The setting is located in Computer Configuration| Policies |
  Administrative Templates | Windows Components | Windows Logon Options | Display
  information about previous logons during user logon = Enabled. Our domain
  level is set to Windows Server 2008. I verified that it is Windows Server 2008
  on Domain and Trust.
  Here is the article about this setting
  Active Directory Domain Services: Last Interactive
  Logon
  But after we deploy the setting, we are no longer able to login
  to any of our windows 7 machines. All of them got an error message said :
  “Security policies on this computer are set to display information about the
  last interactive logon. Windows could not retrieve this information. Please
  contact your network administrator for assistance.”
  The setting
  worked on windows server 2008. I was able to login to DC and revise the setting,
  so we can log back in the windows 7 machines.
  Anyone has experience this
  issue before? I looked up all of the web and only thing they said is to make
  sure the domain functional level must be set to Windows Server 2008, which it
  is.

  Hi,
  Have we also applied this setting to domain controllers?  To make this policy work properly, we also need to apply this setting to domain controllers. If not, users will not be able to log on to the system.
  Regarding this point, the following article can also be referred to for more information.
  Group Policy Setting of the Week 35 – Display information about previous logons during user logon
  http://www.grouppolicy.biz/2010/07/group-policy-setting-of-the-week-35display-information-about-previous-logons-during-user-logon/
  Best regards,
  Frank Shen

• Rules within sequence are not completing after user logged out.

  We have been noticing since yesterday that rules within a sequence not being completed when user logs off planning.
  A. User kicks off a sequence from planning. This sequence has 4 rules.
  B. Logged off either after launching or after waiting few minutes and logged off.
  C. Next rules do not start and we noticed session is ending from AAS.
  However user closes browser sequence completes. Yes sequence has no errors. It was working fine until last week and only change was 'NETDELAY' value. Changed from 1500 to 60000.
  Not tried from SmartView yet.
  Edited by: venuramini on Jun 22, 2009 5:40 PM
  Corrected typo in title.

  Reason for changing from 1500 to 60000 was, do not remember exactly, issue with MS Excel connectivity. We implemented long ago in dev but never updated other environments.
  As far as other HBR_MAX_WAIT_FOR_RULE and HBR_MONITOR_DELAY we have tried and did not achieve desired results.
  FYI: we are using Planning 9.3.0.1 and wanted rules running longer than 60 minutes to go in background mode. But above setting would not be useful for 9.3.0.1.
  Am I confusing you?
  More info of original issue: Business rules time-out. Planning 9.3.0.1
  Since then, we have increase web session time-out to 720 min (12 hours), in-activity session timeout to 720 min to let sequence complete even if user session timed out.
  Thanks!
  Venu

• BUG: Installer of Internet Explorer 9 breaks Active Setup, if first user logging on has no admin rights

  Hello,
  I just stumbled across an issue when deploying the Internet Explorer 9 on Microsoft Windows 7 SP1, like many others before me. See here for example:
  http://www.butsch.ch/post/Internet-Explorer-9-Setup-Breaks-Active-Setup-of-further-MSI-Packages.aspx
  The Internet Explorer 9 setup creates the REG_SZ "NoIE4StubProcessing" with the value "Y" under HKLM\Software\Microsoft\Active Setup\Installed Components. This blocks all Active Setup components from being executed, when a user logs on. This seems to
  be part of the preparation for the reboot during the IE 9 setup and is supposed to be reversed afterwards.
  To re-enable the Active Setup processing, the IE 9 installer places a command in the RunOnce-Key under HKLM. This command is also labeled "NoIE4StubProcessing" and contains the following command line:
  reg.exe DELETE "HKLM\Software\Microsoft\Active Setup\Installed Components\NoIE4StubProcessing" /f
  In theory, this command will be executed as soon as the first user logs back on, remove the registry entry blocking the Active Setup process and thus enable it again.
  However, this only works, if the first user has local admin priviledges on the machine. If an unpriviledged user logs on, the command is still executed and the entry under "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" is
  removed, but the "NoIE4StubProcessing" entry under "HKLM\Software\Microsoft\Active Setup\Installed Components" remains - resulting in a permantely disabled Active Setup on the machine.
  I am not sure, that this is a bug of the IE 9 installer or the way the commands under  "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" are executed. Nevertheless, a fix for the problem would be great instead of shitty workarounds, that may
  break other things.
  Due to other means of contacting the developers / program managers in charge, could some moderator pass the issue along? - Please!
  ----------------------- Greetings from Germany, Martin

  Hi Martin,
  all feedback/issue reports for IE(10) go through a formal issue tracking portal that MS use. http://connect.microsoft.com/ie
  you may appreciate that this helps ensure the issue is formally documented and that resources can be allocated to its resolution.
  I have posted your feedback there on your behalf...
  https://connect.microsoft.com/IE/feedback/details/754350/ie9-installer-registry-key-switches-flaw-reported-on-technet
  Rob^_^

• How we know the Number of users logged into stratus?

  Hai,
  How can we  know the number of users logged into stratus? If we knows only,in our project we can check the users are valid/authenticated.can we check that?
  Advanced Thanx

  Stratus is adobe service which provides you with p2p id or say all your
  application's users a p2p id. Adobe doesn't have any admin section where you
  can manage/see all connected p2p users in your application.
  This you have to implement at your end in your application code i.e.
  authentication,validation and user counter.
  Thanks,
  Vivek.