Inappropriate authentication

I have problem with using SASL authentication. Everytime when I try to authenticate it throws LDAPException: Authentication failed (48); Inappropriate authentication. What's the problem? Is it in my code or in configuration of directory server?
My code:
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "dn:cn=John Doe, ou=xxx, o=xxx");
env.put(Context.SECURITY_CREDENTIALS, "xxx");

Are you sure that the entry for cn=John Doe, ou=xxx, o=xxx contains a "userpassword" attribute and that the password is in cleartext ?
Inappropriate Authentication means that the authentication could not be attempted because of either a bad sequence of operation or missing elements (such as missing a userpassword in the entry).
Regards,
Ludovic.

Similar Messages

DSEE7 Inappropriate authentication

Hello,
I'm trying to build ldap infrastructure with Sun DSEE 7, with security patch, but now I experience a very strange issue - sometimes server do not authenticate using simple authentication and gives Err 48, or "Inappropriate authentication" message. Access log says:
[09/Aug/2010:11:06:34 +0300] conn=184624 op=0 msgId=1 - BIND dn="uid=wiki,ou=bind users,dc=vu,dc=lt" method=128 version=3
[09/Aug/2010:11:06:34 +0300] conn=184624 op=0 msgId=1 - RESULT err=48 tag=97 nentries=0 etime=0.000260
[09/Aug/2010:11:06:34 +0300] conn=184624 op=1 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0.000070
[09/Aug/2010:11:06:34 +0300] conn=184624 op=-1 msgId=-1 - closing from X.X.X.X:38759 - A1 - Client aborted connection -
[09/Aug/2010:11:06:34 +0300] conn=184624 op=-1 msgId=-1 - closed.
Error log shows nothing special, except some warnings about not indexed suffix.
This unexpected behavior drives me crazy - sometimes everything works nice, and sometimes you can't authenticate for several hours. I have no idea how to produce this error, I've noticed only that after rebooting ldap instance, everything goes fine again, for a few hours. Do you have any ideas, what might be wrong and how to fix it? I would have thought that this is a bug or something like it, but i don't think Sun have released the product with such a big issue.
Thanks.

I agree this is a strange behavior. I would suggest building a profile for this issue. What I mean by that is to go into your access log history and create a timeline sequence of events when this happened. Since the behavior leaves fingerprints in your access log, this shouldn't be too hard. I would get a week's worth of logs to start and find all intervals during the week when err=48 occurred. For each event, document how long the event lasted, whether other BINDs were succeeding, and which users were failing. For each event, inspect the error log in the same time interval. Look for any daemon or system event that has a correlation with the problem intervals.
Once you have built this profile, you can add instrumentation to the profile - a higher level of logging, system debugging, etc as appropriate. If you have audit logging on, we might be able to correlate some state change with the events more easily. Another step I can see taking is to tail your access log for err=48 and when it happens to grab all attributes from whatever entry has failed login. If you want to paste your event profiles into this thread, we can look them over and make other suggestions.

Simple Authentication Problem

Hi I am using suin direcory server 6.0 with my application. To test my connection I supplied the rootDN, userDN, host, port and password with 'simple' authentication mode but my test fails with following exception on console;
SunOS-/export/home1/tecapp/TCS/tcserver/directory/INFOBASIC: testLDAP
com.temenos.tocf.security.TCSecurityException: The authentication mechanism simple not supported by LDAP Server : ldap://hml-newsunt2a:389/uid=myT24,cn=T24,cn=Application,o=temenos,c=ch with user t24userid=inputter,uid=myT24,cn=T24,cn=Application,o=temenos,c=ch
        at com.temenos.tocf.security.common.LdapUtilities.getDirContext(LdapUtilities.java:447)
        at com.temenos.tocf.security.management.T24User2Directory.connect(T24User2Directory.java:255)
        at com.temenos.tocf.security.management.T24User2Directory.connect(T24User2Directory.java:185)
        at com.temenos.tocf.security.management.T24User2Directory.getSysDNListImpl(T24User2Directory.java:330)
        at com.temenos.tocf.security.management.T24User2Ldap.getSysDNList(T24User2Ldap.java:84)
------------- GETSYSDN -------------------
Time for call of CALLJ : 4820 [ms]
20üError connecting LDAP server : The authentication mechanism simple not supported by LDAP Server : ldap://hml-newsunt2a:389/uid=myT24,cn=T24,cn=Application,o=temenos,c=ch with user t24userid=inputter,uid=myT24,cn=T24,cn=Application,o=temenos,c=ch
Log File (access) in My LDAP Server recorded following at the same time;_
[10/Nov/2009:15:35:21 +0000] conn=171 op=-1 msgId=-1 - fd=22 slot=22 LDAP connection from 10.44.5.69:53988 to 10.44.5.69
[10/Nov/2009:15:35:21 +0000] conn=171 op=0 msgId=1 - BIND dn="" method=128 version=3
[10/Nov/2009:15:35:21 +0000] conn=171 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[10/Nov/2009:15:35:21 +0000] conn=171 op=1 msgId=2 - SRCH base="uid=myt24,cn=t24,cn=application,o=temenos,c=ch" scope=0 filter="(obj
ectClass=*)" attrs="supportedSASLMechanisms"
[10/Nov/2009:15:35:21 +0000] conn=171 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
[10/Nov/2009:15:35:21 +0000] conn=171 op=2 msgId=3 - UNBIND
[10/Nov/2009:15:35:21 +0000] conn=171 op=2 msgId=-1 - closing from 10.44.5.69:53988 - U1 - Connection closed by unbind client -
[10/Nov/2009:15:35:22 +0000] conn=171 op=-1 msgId=-1 - closed.
[10/Nov/2009:15:35:24 +0000] conn=172 op=-1 msgId=-1 - fd=22 slot=22 LDAP connection from 10.44.5.69:53989 to 10.44.5.69
[10/Nov/2009:15:35:24 +0000] conn=172 op=0 msgId=1 - BIND dn="t24userid=inputter,uid=myT24,cn=T24,cn=Application,o=temenos,c=ch" met
hod=128 version=3
[10/Nov/2009:15:35:24 +0000] conn=172 op=0 msgId=1 - RESULT err=48 tag=97 nentries=0 etime=0
[10/Nov/2009:15:35:24 +0000] conn=172 op=1 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0
[10/Nov/2009:15:35:24 +0000] conn=172 op=-1 msgId=-1 - closing from 10.44.5.69:53989 - A1 - Client aborted connection -
[10/Nov/2009:15:35:24 +0000] conn=172 op=-1 msgId=-1 - closed.Please help me and suggest a workaround please as I couldn't found any information regrading this on google.
Thanks
SJunejo

[10/Nov/2009:15:35:24 +0000] conn=172 op=0 msgId=1 - RESULT err=48 tag=97 nentries=0 etime=0err=48 is "inappropriate authentication". Maybe you don't have SASL configured properly.
Please have a read of the admin guide.
[http://docs.sun.com/app/docs/doc/820-2763/bcave]

Cfldap inapropriate authentication

Hello everyone,
I am trying to authenticate a user against ldap (unix and AD)
and I have a strange problem.
I tried both the AD ldap server of my company as well as the
Unix ldap.
my account works just fine, my password is along the lines of
$Word3534
when I was using only AD ldap a user had a password with a :
in it, (:Word3534) and the page gave a nice error message, by
changing to Unix LDAP this is fixed. now though my test user with a
password of Word:3534 and we get Inappropriate authentication. now
I know the password words as I tested it on several systems.
Any ideas why this is happening?
here is the code in my application.cfm

This is just a WAG, but make sure that the user is not
required to change their password at the first login. This would
mean the account is locked out even though you created it
successfully and accessed it once.

LDAP: error code (s) library ???

Where will I get the list of all LDAP errors and the explanation about the error. Any document OR webpage is available with such list ???
Example: Assume I got a error, "[LDAP: error code 65 - Object Class Violation]", where will I check for the exact explanation about this error.
Please help...

Hi Guy's
Here you go,
Code
(decimal) Error code (string) Description
0 LDAP_SUCCESS Success
1 LDAP_OPERATIONS_ERROR Operations error
2 LDAP_PROTOCOL_ERROR Protocol error
3 LDAP_TIMELIMIT_EXCEEDED Timelimit exceeded
4 LDAP_SIZELIMIT_EXCEEDED Sizelimit exceeded
5 LDAP_COMPARE_FALSE Compare false
6 LDAP_COMPARE_TRUE Compare true
7 LDAP_STRONG_AUTH_NOT_SUPPORTED Strong authentication not supported
8 LDAP_STRONG_AUTH_REQUIRED Strong authentication required
9 LDAP_PARTIAL_RESULTS Partial results
16 LDAP_NO_SUCH_ATTRIBUTE No such attribute
17 LDAP_UNDEFINED_TYPE Undefined attribute type
18 LDAP_INAPPROPRIATE_MATCHING Inappropriate matching
19 LDAP_CONSTRAINT_VIOLATION Constraint violation
20 LDAP_TYPE_OR_VALUE_EXISTS Type or value exists
21 LDAP_INVALID_SYNTAX Invalid syntax
32 LDAP_NO_SUCH_OBJECT No such object
33 LDAP_ALIAS_PROBLEM Alias problem
34 LDAP_INVALID_DN_SYNTAX Invalid DN syntax
35 LDAP_IS_LEAF Object is a leaf
36 LDAP_ALIAS_DEREF_PROBLEM Alias dereferencing problem
48 LDAP_INAPPROPRIATE_AUTH Inappropriate authentication
49 LDAP_INVALID_CREDENTIALS Invalid credentials
50 LDAP_INSUFFICIENT_ACCESS Insufficient access
51 LDAP_BUSY DSA is busy
52 LDAP_UNAVAILABLE DSA is unavailable
53 LDAP_UNWILLING_TO_PERFORM DSA is unwilling to perform
54 LDAP_LOOP_DETECT Loop detected
64 LDAP_NAMING_VIOLATION Naming violation
65 LDAP_OBJECT_CLASS_VIOLATION Object class violation
66 LDAP_NOT_ALLOWED_ON_NONLEAF Operation not allowed on nonleaf
67 LDAP_NOT_ALLOWED_ON_RDN Operation not allowed on RDN
68 LDAP_ALREADY_EXISTS Already exists
69 LDAP_NO_OBJECT_CLASS_MODS Cannot modify object class
70 LDAP_RESULTS_TOO_LARGE Results too large
80 LDAP_OTHER Unknown error
81 LDAP_SERVER_DOWN Can't contact LDAP server
82 LDAP_LOCAL_ERROR Local error
83 LDAP_ENCODING_ERROR Encoding error
84 LDAP_DECODING_ERROR Decoding error
85 LDAP_TIMEOUT Timed out
86 LDAP_AUTH_UNKNOWN Unknown authentication method
87 LDAP_FILTER_ERROR Bad search filter
88 LDAP_USER_CANCELLED User cancelled operation
89 LDAP_PARAM_ERROR Bad parameter to an ldap routine
90 LDAP_NO_MEMORY Out of memory
questions please contact me @ [email protected]
Thanks
srinivasa

Javax.naming.AuthenticationNotSupportedException:[LDAP:error Code 13

package test;
import java.util.Hashtable;
import java.util.Enumeration;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
public class Test1{
public static void main(String[] args) {
     try{
          Hashtable env = new Hashtable();
               env.put(Context.INITIAL_CONTEXT_FACTORY,INITCTX);
               env.put(Context.PROVIDER_URL,My_HOST);
               env.put(Context.SECURITY_AUTHENTICATION,"simple");
               env.put(Context.SECURITY_PRINCIPAL,MGR_DN);
               env.put(Context.SECURITY_CREDENTIALS,MGR_PW);
               DirContext ctx=new InitialDirContext(env);
          }catch(Exception e){
               e.printStackTrace();
               System.exit(1);
     public static String INITCTX="com.sun.jndi.ldap.LdapCtxFactory";
     public static String My_HOST="ldap://192.168.0.88:389";
     public static String MGR_DN="uid=kvaughan,ou=people,o=airius.com";
     public static String MGR_PW="bribery";
     public static String MY_SEARCHBASE="o=Airius.com";
javax.naming.AuthenticationNotSupportedException:[LDAP:error Code 13 Confidentiality Required]

i have the same Exception
this post from 2003 and no one post an advice!!
the exception
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication]
but i found that it is related the
env.put(Context.SECURITY_AUTHENTICATION, "simple"); // 'simple' = username + password
simple, EXTERNAL, none
but after adding this line i still have the same error!!

Directory Server and Samba 3 PDC

I'm trying to connect to directory server from samba 3
# ./smbpasswd -w secret
# ./net getlocalsid
it says:
bash-3.00# ./net getlocalsid
[2006/04/29 13:29:10, 0] lib/smbldap.c:smbldap_connect_system(890)
failed to bind to server ldap://merlin.cotarh.local with dn="cn=admin,dc=cotarh,dc=local" Error: Inappropriate authentication
[2006/04/29 13:29:25, 0] lib/smbldap.c:smbldap_search_suffix(1346)
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timelimit exceeded)
SID for domain MERLIN is: S-1-5-21-3865381809-2382358429-1619658665
What's wrong?

Once the user has authenticated with Kerberos, the token can be used with LDAP using the SASL authentication with GSSAPI / Kerbv5 mechanism.
How to configure Directory Server 5.2 for this is fully documented in the Chapter 11 - Managing Authentication and Encryption of the Administration Manual.
<http://docs.sun.com/source/817-5221/ssl.html#wp20166>
Regards,
Ludovic.

Password attribute stored as binary

Trying to bind against an iPlanet directory with ADSI. Anonymous
bind is no problem. However, any use of passwords
return 'Inappropriate Authentication' error. I discovered that the
password is stored in binary format. Does anyone know if there is
a "special way" to do a bind against a directory whose passwords are
stored in binary.
Thanks.
Michael

If you are talking about entries like this:
userPassword:{SSHA}xxxxxxxxxx==
That's the server encrypting the passwords. The password you want to use for the bind is the original unencrypted password.
The system encrypts automatically. That is if you add a user with attribute
userPassword: foo
and then look at the directory entry, you'll find that "foo" turned into {SSHA}......
But they still login with "foo".

IFolder Data Store Issue

iFolder 3.9? on OES11 SP1/SLES11 SP2. The ifolder data store is on a NAS via iscsi. This works until the nas "disappears" from the network and i have to hard-power down the nas. We do have a newer gigabit switch on the way but until then, i can not get the ifolder store to come back online. Here is what i use to have to do when this happened: logout of the iscsi via yast-iscsi. Restart the nas. Login using the iscsi initiator via yast. Run xfs_repair -L then restart the server. this would usually work but now, i can not get anything to work. fdisk -l shows the dev:
Code:
Disk /dev/sdd: 1610.6 GB, 1610612737024 bytes
255 heads, 63 sectors/track, 195812 cylinders, total 3145728002 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 524288 bytes
Disk identifier: 0x00095eaa
Device Boot Start End Blocks Id System
/dev/sdd1 1024 3135326207 1567662592 83 Linux
SDD1 will mount and i can see all the files/folders in the data store. Partitioner sees the iscsi drive.Logs from simias:
Code:
2013-08-10 08:08:54,793 [-1443309824] ERROR Simias.LdapProvider.User - DN:cn=user,ou=Paradix,o=TNNDS
2013-08-10 09:43:49,792 [-1451780352] ERROR Simias.LdapProvider.User - LdapError:Anonymous bind is not allowed
2013-08-10 09:43:49,793 [-1451780352] ERROR Simias.LdapProvider.User - Error:Inappropriate Authentication
2013-08-10 09:43:49,793 [-1451780352] ERROR Simias.LdapProvider.User - DN:cn=user,ou=Paradix,o=TNNDS
Edirectory is up and running. Any ideas on how i can get ifolder back up and running?

carnold6,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/

Exception while calling ADS Inappropriate WSIL Invalid Response Code: (401)

Hi Experts,
Our ADS configuration was done on XCE a long time back and even reader credentials were installed and everything is working fine.
Couple of days back, we enabled SSL configuration on the system. Even got the certificates signed by CA and HTTPS is also working without any problems.
Then, problems are happening when we configured WebService SSL connection for ADS following the steps from
http://help.sap.com/saphelp_nwce72/helpdata/en/90/71d273fa724cc9bb644ab00405e6f8/content.htm and also the SAP How to guide from: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d02262d8-7814-2c10-5c97-d855d38e9923?quicklink=index&overridelayout=true.
Among other steps, I have created a View in Key Storage called "ADSCerts" and created an entry "ADSUser" as per the document, generated CSR request, imported CSR response and also the CA's root certificate.
I exported the ADSUser-cert certificate from here and imported into Identity Management for the User ADSUser under its Certificates tab.
Also updated SecureConfigPort_Document (in Destination Template Management under SOA Administration) security settings to X.509 Client Certificate and in Details, I have chosen the View ADSCerts and entry ADSUser.
Even after all the steps as per the document and the help.sap.com link provided above, when I try to test this through a test URL
(https://host:https-port/webdynpro/resources/company.com/test~wd/TestAdobeApp) that our developers have given me for this, I get a (401)
Unauthorized error:
500 Internal Server Error is returned for HTTP request
[https://host:https-port/webdynpro/resources/company.com/test~wd/TestAdobeApp]
com.sap.tc.adobe.pdfobject.base.core.PDFObjectRuntimeException:
Exception while calling ADS; Inappropriate WSIL; configure the
destination path
correctly./ncom.sap.esi.esp.service.server.query.discovery.ExtendedServiceException:
com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested
URL was:"Connect to https://host:https-port/inspection.wsil/"
I have checked the security log file and it shows:
LOGIN.FAILED
User: N/A
IP Address: 192.165.90.102
Authentication Stack: sap.com/tcesiesp~wsil*inspection.wsil
Also, ran Security Troubleshooting Wizard from NWA and reproduced the problem while collecting these traces. There were some entries like:
Login failed!
[EXCEPTION]
java.security.PrivilegedActionException:
com.sap.engine.services.security.exceptions.BaseLoginException: Cannot
authenticate the user.
Caused by: com.sap.security.core.server.jaas.DetailedLoginException:
Received no SAP Authentication Assertion Ticket.
Received no SAPLogonTicket. Authentication stack:
[sap.com/tcesiesp~wsil*inspection.wsil].
Any idea how I can solve this? Anybody got this error?
Thanks,
Shitij

Opened an OSS message with SAP and they told me that the certificates being generated from NWA are in a different format from what is accepted in user store.
So, generated new certificates from OS level using sapgenpse and now it worked.

SQL Transformation - Static connection information is inappropriate

Hello,
I'm a newbie to Informatica and I have a problem with the SQL Transformation.
The mapping I created is valid. I created a session and a workflow. I set correct DB connections for the source and target in the "mapping" properties of the session.
But when I start the task it fails with the errors:
[ERROR] Failed to get the connections
[ERROR] Static connection information is inappropriate to create a valid Database handle
In the Informatica help it is written for SQL Transformation for Static connection - which type of connection is my SQL Transformation - "Configure the connection object in the session. You must first create the connection object in Workflow Manager." What does it mean?
Why static information could be inappropriate?
Informatica Version: 8.6.0
Oracle DB Version: 11g2
Informatica is installed on Windows XP

Hi,
According to your post, my understanding is that you got an error in your PowerView report.
The error may be caused by Kerberos authentication issue due to missing SPN. In order to make the Kerberos authentication work, you need to configure the Analysis Services to run under a domain account, and register the SPNs for the Analysis
Services server.
To create the SPN for the Analysis Services server that is running under a domain account, run the following commands at a command prompt:
Setspn.exe -S      MSOLAPSvc.3/Fully_Qualified_domainName OLAP_Service_Startup_Account
     Note:      Fully_Qualified_domainName is a placeholder for the FQDN.
Setspn.exe -S      MSOLAPSvc.3/serverHostName OLAP_Service_Startup_Account
For more information, please see:
How to configure SQL Reporting Services 2012 in SharePoint Server 2010 / 2013 for Kerberos authentication
As this issue is related to PowerView report, if the issue still exists, I recommend you can post you question to PowerView forum.
http://social.technet.microsoft.com/Forums/windows/en-US/home?forum=sqlreportingservices
More experts will assist you, then you will get more information relation to PowerView.
Thank you for your understanding and support.
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support

Authenticating a Mac into a Windows-based Proxy Server.

Hello.
Once again, I have come to find help from the wisest Mac users there are.
Now, my school network is Windows based. I can connect to the network and I can access the INTRANET (which contains the webmail and moodle, our CMS, etc.), but I cannot get through the proxy to get onto the INTERNET.
I use DAVE X to connect to the shared drives on the server. I tried to get DAVE X to authenticate to the proxy with the NT credential, although it did not work. I also tried to authenticate using Authoxy using its authentication method, but that also did not work.
The built in authentication also does not work. The page I get whatever authentication method I try (or even if I try without authentication) is "Access Denied".
What I know is that the school uses WinGate or BlueCoat to handle proxy authentication and then they use WinProxy to censor material deemed inappropriate to be displayed in a school environment.
Hopefully we have some users here who are knowlegable in this area and can help me with this problem.
I thank you in advance.
Jeffrey

Hello. I'm also having trouble with a proxy and authentication, which is why I ran across your post.
Have you tried using Firefox (and entering your proxy information in its preferences - Firefox doesn't use proxies specified in System Preferences)?
In my situation, software that relies on the proxy settings in System Preferences (Safari, iTunes, Widgets, Software Update) does not work. It doesn't matter what I enter for name and password, it never works.
However, if I enter the same proxy info in Firefox, Firefox can successfully authenticate and I can surf the Web.
This probably won't help you much but I thought I'd throw it out there. Good luck!

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Authentication - multiple domains with multiple accounts

Dear All,
Consider an environment where a user, Joe Bloggs, has an account on two Windows domains: DOMA and DOMB. DOMA is a domain that all users in the organisation are members of. DOMB is a domain used by a smaller subset of users. The user's
machine is part of the DOMB domain.
I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.
So far, I've thought of the following solutions:
1. Build a trust between the two domains. Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles. Also, DOMB is likely to be deprecated in the future.
2. Use WorkPlace Join. Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
Any ideas? Or, am I completely mad?!
Thanks in advance.

1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
An ADFS trust might be another option, although that increases your deployment footprint and complexity.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Error while authenticating a user

Dear all,
Hope you all are doing well.
Production issue :
When an user tries to login with his username and password. He is getting error message "INTERNAL ERROR OCCURED".
And the standard RFC which i'm using for authenticating user is SUSR_LOGIN_CHECK_RFC
CALL FUNCTION 'SUSR_LOGIN_CHECK_RFC'
EXPORTING
       bname                                 = ip_empid
       password                             = ip_password
EXCEPTIONS
       wait                                     = 1
       user_locked                          = 2
       user_not_active                    = 3
       password_expired                 = 4
       wrong_password                   = 5
       no_check_for_this_user         = 6
       password_attempts_limited    = 7
       internal_error                         = 8
OTHERS                                    = 9.
I want to know what is the meaning of this internal error ? something is going wrong with the standard RFC which I am referring to ? Some one please help me out..
Thanks in advance.

Hi Syed,
Really need more of a context to your problem.
1. You've posted in the SSO forum. A SSO problem or a normal SAPGUI logon problem ?
2. You say .... "And the standard RFC which i'm using for authenticating user is SUSR_LOGIN_CHECK_RFC" .... Meaning what ??? you are using a home developed solution ?
3. Problem affects one user or all users ?
4. Backend version and kernel pl level please.
Cheers,
Amerjit

Inappropriate authentication

Similar Messages

Maybe you are looking for