Integrated Windows Authentication with a WebSphere Cliente

Similar Messages

• Integrated windows authentication with Oracle access manager 10g

  Hi SSo guys,
  Our project requirement is as follows:
  We have two applications Ebiz 11.5.10.2 and OBIEE10g and we are supposed to integrate IWA for both the applications
  so as per the below note OAM integration with IWA only works for the applications using IIS.
  So can we protect both the applications in OAM 10g and point those applications to two html pages say http://IIS hostname/ebiz and http://IIS hostname/OBIEE and protect those two resorces in OAM suing IIS webserver?
  As per the note :
  Doc ID 1072204.1 specify
  Excerpt from this doc:
  #-begin-
  OAM accomplishes IWA by using an OAM Webgate on the IIS Web Server that uses a hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization. Behind the scenes, the IIS WebGate utilizes the UseIISBuiltinAuthentication parameter, by default, this value is false. IWA can only be achieved when this attribute is set to true on an IIS WebGate. This is not a valid parameter for any other OAM WebGate.
  #-end-

  It should be this way:
  Ebiz:
  1. Integrate OAM with OASSO
  2. Register OASSO and OID with Ebiz11.5.10.2
  3. Protect the resource in OAM
  4. Verify if authentication is successful for this resource.
  Obiee:
  1. Integrate OBIEE with OAM
  2. Verify if authentication is successful for this resource.
  IWA:
  1. Install IIS webser and webgate
  2. Create authentication scheme which protects / of IIS web server.
  Create a Form Authentication Scheme(this scheme should protect OBIEE and EBiz resource) which will have challenge redirect to IIS web server where IWA is configured and / is protected.
  Login Flow:
  1. User tries to access ebiz or obiee resource.
  2. Form Authentication Scheme will challenge redirect to IIS web server where IWA is configured.
  3. As IWA is configured. User will be automatically get ObSSOCookie.
  4. User gets redirected back to the requested resource.
  There is a My oracle support doc which talks in details about this setup.

• Integrating windows authentication with Sun ACCESS MANAGER

  Hi,
  I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
  I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
  How to do this.
  Thanks in advance
  Maruthi

  Hi!
  Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
  http://developers.sun.com/identity/reference/techart/sharepoint.html
  Christoph

• Windows authentication with oracle9i

  Hi,i am working on windows authentication with oracle9i.my client server is connecting and client can access the database.now can you please guide me the steps for windows authentication in brief.i will appreciate that.

  can u plz help me how to ser OS_roles value to true.

• SAAJ (Web Service Client) and Integrated windows Authentication

  Hello
  I have build a web service client using SAAJ, the Web services is deployed on MS IIS. Every thing seems to work fine, The problem appears when I apply directory security on the Web Service Directory. When I apply Basic authentication SAAJ manages to send the user name and password and it goes fine, but when I apply Integrated Windows Authentication, I always get a response Access is Denied.
  I know we can authenticate the user credentials from NTLM from JAAS but here I am using a web services client.
  My Question is How can we pass the user credentials through a web service client to the IIS when the directory security is Windows Integrated Authentication?
  Any work around or the solution will be appreciated.
  Thanks :-)
  Syed Saulat

  Hi Gilles,
  Thank you very much for your answer. Actually, I think the problem is a little bit different. The kerberos server is not delivering a "grant" ticket to the client for the service provided by the VIP, because the CSS didn't register to the Active Directory, as a normal W2K web server would. The first thing the client does when he wants to access a web server behind the CSS is to ask the kerberos server for a "gtanting" ticket for that service. So the problem arise before the client sends any packet to the CSS (therefore I think it is more a Microsoft problem rather than a CSS problem).
  But for sure, other people have this environment I suppose...
  What is your opinion on this ?
  Yves

• The kerberos PAC verification failure when all users of only one RODC Site, trying to get access iis webpage of different site using Integrated Windows Authentication

  The kerberos PAC verification failure when all users of only one Site which having only one RODC server(A), trying to get access iis webpage of different site which having WDC server(B) using Integrated Windows Authentication. But when they accessing the
  website using IP address, it is not asking for credentials as I think it is using NTLM Authentication at that time which is less secure than Kerberos.
  Note that:- All user accounts and Computers of the RODC has been allowed cache password on the RODC. Nearest WDC for the RODC (A) is the WDC (B).
  The website is hosted on a windows server 2003 R2 and generating below system event log for those users of the RODC site :-
  Event Type: Error
  Event Source: Kerberos
  Event Category: None
  Event ID: 7
  Date:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">date</var>
  Time:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">time</var>
  User: N/A
  Computer:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name (the 2003 server)</var>
  Description: The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client<var style="color:#333333;font-family:'Segoe
  UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name</var> in realm <var
  style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">realm_name</var> had
  a PAC which failed to verify or was modified. Contact your system administrator.
  This issue has been raised for last one week. Before that everything was fine. No Group Policy changed, Time also same.
  In this situation do I need to do Demotion of the RODC and re-promote it as RODC again  or is there any other troubleshooting to resolve it.
  Thanks in Advanced
  Souvik

   Hi Amy,
  Thanks for your response
  I noticed that Logon server could become incorrect again after user re-login or restart of a workstation.
  It seems root cause is different.  Need a permanent solution.
  The Workstations of the RODC site are getting IP from a DHCP server by automatic distribution of IP from a specific subnet for the site only.  The RODC is
  the Primary DNS server for the site.
  I have checked the subnet and it is properly bound with only with that AD site. The group of users and workstations are in the same site AD organisational Unit.
  Sometime I restarted the NET LOGON service and DNS server service on ther RODC server and sometime rebooted the server. But the Logon server issue has not fixed permanently.
  The internal network bandwidth of the site is better than the bandwidth to communicate with other site.  
  The server is Windows server 2008 R2 standard and hosting the below roles
  RODC
  DNS
  File server
  The server performance is Healthy in core times when maximum users usually logins. 
  Any further support would be much appreciated Amy
  Thanks
  Souvik

• How to configure Axis stubs for Integrated Windows Authentication ?

  Hi All,
  I am trying to consume a web service on https and it uses .NET with Integrated Windows Authentication Security Mechanism. When I type the web service endpoint address in browser I am prompted for a login dialog and I login using username (in the format <domain name>\\<username>) and password given by the web service provider.
  Now I have generated stubs using AXIS 1.2 Final but I dont know how to pass or set the credentials (domain, username, password) in my client program. I tried <stub object>.setUsername and <stub object>.setPassword methods but I am not able to connect to the service and I always get HTTP Error Code 401.2 from the service. I am not sure this is right way to set credentials in my code. I tried searching this mailing list but no avail. Can anyone please help me.
  Thanks & Regards,
  Kr.

  Hello all - I ran into this and spent way too much time looking for the answer, however this is how I got it to work. My code was specific to getting SSRS authenication working so it should work with any NTLM authenciation via HTTP. setAuthenticateProperty() actually does the enabling of NTLM.
  * Sets up the needed information to enable NTLM authentication for SOAP/HTTP calls..
  * @author Brian Hayes
  public class NTLMAuthenticator {
      private Authenticator authenticator;
      private String username;
      private String password;
      private String domain;
      private String host;
      private URL wsdlurl;
       * Uses the endpoint.getHost() as the host name to use for authentication.
       * <li> Generally the endpoint host is the target for actual authenciation.
       * <br>
       * @param endpoint -
       *            The URL location of SSRS ReportExecution2005 wsdl.
       * @param username -
       *            User name needed for NTLM authentication.
       * @param password -
       *            Password needed for NTLM authentication.
       * @param domain -
       *            Domain for the user needed for NTLM authentication.
      public NTLMAuthenticator( URL wsdlurl, String username, String password, String domain ) {
          this.wsdlurl = wsdlurl;
          this.host = wsdlurl.getHost();
          this.username = username;
          this.password = password;
          this.domain = domain;
          this.authenticator = null;     
       * Instruct our NTLM authenticator to use setPreemptiveAuthentication or not. Default is true;
       * @return - true or false
      protected boolean usePreemptiveAuthentication(){
          return true;
       * The {@link Authenticator} is used to setup NTLM authentication to a webservice stub/client. <br>
       * Example:<br>
       * If you extended a Stub object, you would call getClient() or your Stub object.<br>
       * Then super._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, getAuthenticator());<br>
       * <li>This should work with any URL/Soap call but it has only been tested with axis2 stubs.
       * <li> This also used PreemptiveAuthentication.
       * @return - {@link Authenticator} object populated.
      public Authenticator getAuthenticator() {
          if (this.authenticator == null) {
              this.authenticator = new Authenticator();
          List<String> auth = new ArrayList<String>();
          auth.add(Authenticator.NTLM);
          authenticator.setAuthSchemes(auth);
          authenticator.setUsername(this.getUsername());
          authenticator.setPassword(this.getPassword());
          authenticator.setDomain(this.getDomain());
          authenticator.setHost(this.getHost());
          authenticator.setPreemptiveAuthentication(this.usePreemptiveAuthentication());
          return authenticator;
      public void setAuthenticator( Authenticator authenticator ) {
          this.authenticator = authenticator;
      public String getUsername() {
          return username;
      public void setUsername( String username ) {
          this.username = username;
      public String getPassword() {
          return password;
      public void setPassword( String password ) {
          this.password = password;
      public String getDomain() {
          return domain;
      public void setDomain( String domain ) {
          this.domain = domain;
      public String getHost() {
          return host;
      public void setHost( String host ) {
          this.host = host;
      public URL getWsdlurl() {
          return wsdlurl;
      public void setWsdlurl( URL wsdlurl ) {
          this.wsdlurl = wsdlurl;
  * NTML Support for webservices where our webservice is protected via NTLM.
  * @author Brian Hayes
  public class NTLMReportExecutionServiceStub extends ReportExecutionServiceStub {
      private NTLMAuthenticator endpointAuthenticator;
       * Enables NTML authentication to our SSRS reports by setting the property via setAuthenticeProperty();
       * @param authenticator
       * @throws AxisFault
      public NTLMReportExecutionServiceStub( NTLMAuthenticator endpointauthenticator ) throws AxisFault {
          this(endpointauthenticator.getWsdlurl().toString());
          this.endpointAuthenticator = endpointauthenticator;
          this.setAuthenticeProperty();
      private void setAuthenticeProperty(){
          super._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, this.getEndpointAuthenticator().getAuthenticator());
      public NTLMAuthenticator getEndpointAuthenticator() {
          return endpointAuthenticator;
      public void setEndpointAuthenticator( NTLMAuthenticator endpointAuthenticator ) {
          this.endpointAuthenticator = endpointAuthenticator;
       * Overrides the default URL location.
       * @param wsdlurl
       * @throws AxisFault
      private NTLMReportExecutionServiceStub( String wsdlurl ) throws AxisFault {
          super(wsdlurl);
  }

• Query on Integrated Windows Authentication....

  Hi All,
  I have a scenario to implement Integrated Windows Authentication using SPNego. But the initial page has to be loaded as anonymous portal onclick of the Logon button/Link, it has to validate the user against Integrated windows authentication and display the contents based on the user role.
  I have successfully implemented Integrated Windows Authentication, but if I type the anonymous URL, it is not loading the anonymous contents, it is directly displaying based on user role?
  Any suggestions on this??
  Thanks & Regards,
  Santhosh.C

  Hi Santhosh,
  We are planning to implement Windows integrated authentication using SPNego in EP7 with Microsoft Active Directory.
  Can you please share your experience and documents, in implementing the same. I have implemented Windows integrated authentication in EP6 with IIS proxy, but that is no longer supported.
  I appreciate your help in this regard.
  Regards
  Chandu

• Integrated Windows Authentication

  Hi All
  I need to implement Integrated Window Authentication in  EP7.0( SP16 ).
  Please help me to proceed further.
  Thanks & Regards
  Karthi

  Hi ,
  Check SPNego installation guide at help.sap.com for more information.
  check below blogs
  Configuring and troubleshooting SPNego -- Part 1
  Configuring and troubleshooting SPNego -- Part 2
  Configuring and troubleshooting SPNego -- Part 3
  kerberos implementation with ADS made easy
  Koti Reddy

• Microsoft JDBC 2.0 driver for SQL:  Integrated Windows Authentication?

  Has anyone had success with the MS JDBC 2.0 driver for SQL and Integrated Windows Authentication in distributed mode (Multiserver)?  At best, we can get server-to-server authentication.

  Hello Thomas,
  You may want to download the driver again and install it again.
  heres a sample xml tag in the config.xml:
  <JDBCConnectionPool
  DriverName="com.microsoft.jdbc.sqlserver.SQLServerDriver"
  InitialCapacity="3" MaxCapacity="12" Name="MSpool"
  Password="{3DES}fUz1bxR0zDg=" Properties="user=uid"
  Targets="myserver"
  URL="jdbc:microsoft:sqlserver://mydbserver:1433"/>
  ensure that you follow the instructions from Microsoft. For using 2000
  driver you will need to have
  Install_dir/lib/msbase.jar and Install_dir/lib/msutil.jar in addition to
  Install_dir/lib/mssqlserver.jar in the CLASSPATH.
  hth
  sree
  "Thomas" <[email protected]> wrote in message
  news:3c91ec0e$[email protected]..
  Hi,
  Has anybody used the JDBC 2.0 driver for sql server 2000 downloadable from
  the
  microsoft website?When I try using it with WL 6.1 sp1 it says it can't load
  the
  driver.I try viewing the class file from the jar file using the jar utility
  it
  gives an unknown Zip format error.Anybody has any solution for this ?If
  anybody
  has managed to work with this microsoft driver i will be grateful if they
  provide
  me with a solution.
  Thanks
  Thomas

• Bug after updating User Logon Account (using AD Integrated Windows Authentication)

  Hello,
  I am using Integrated Windows Authentication in Project Server. And I have changed one user Active Directory (AD) useraccount name…
  Then when I go to "Manage Users" page in Project Server, I see that the new data information wasn’t updated with "Active Directory Enterprise Resource Pool Synchronization" (I forced the Synchronization and still nothing aspens)…
  So I checked the "Prevent Active Directory synchronization" checkbox for this user (in Project Server), and I changed the "User logon account" field manually, then after I save, the logon account isn’t uploaded… It shows the previous useraccount
  name.
  The only change made in the AD account name was that we changed the "Ç" character to "C".
  In the AD this accountname no longer have the "Ç" character...
  So why does the accountname in Project Server shows the "Ç" character instead of "C"?

  Hi Mario,
  The change is actually not reflecting in SharePoint. If I am not wrong, you are actually talking about the display name on the top right side of the page which is actually pulled from SharePoint content database where PWA site collection is residing.
  If that is the case, then you will have to delete the user from SharePoint and add him back. Or, if you need more details on how to do this, you can open a case with MS.
  Vikram Daruru - MSFT

• How do you uncheck the "enable integrated windows authentication" in Mozilla Firefox?

  Every time i want to access a site mozilla uses the windowslogin to authenticate through proxy.

  Hope it helps:
  http://markmonica.com/2007/11/20/firefox-and-integrated-windows-authentication/

• Class Not Found. "Integrated Windows Authentication"

  Hello out there!
  I have read several posts concerning almost the same problem I have, but couldn't find a solution:
  IIS + PlugIn 1.4.1 installed.
  If the IIS is configured not to provide Basic Authentcation, but only "Integrated Windows Authentication", following error occurs:
  java.lang.ClassNotFoundException: de.mypackage.myclass.class
  at sun.applet.AppletClassLoader.findClass(Unknown Source)
  at sun.plugin.security.PluginClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.applet.AppletClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.applet.AppletClassLoader.loadCode(Unknown Source)
  at sun.applet.AppletPanel.createApplet(Unknown Source)
  at sun.plugin.AppletViewer.createApplet(Unknown Source)
  at sun.applet.AppletPanel.runLoader(Unknown Source)
  at sun.applet.AppletPanel.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Caused by: java.io.IOException: open HTTP connection failed.
  at sun.applet.AppletClassLoader.getBytes(Unknown Source)
  at sun.applet.AppletClassLoader.access$100(Unknown Source)
  at sun.applet.AppletClassLoader$1.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  "Integrated Windows Authentication" is a must, so I have to turn it on, but it is possible, that basic authentication is not allowed. Any suggestions or ideas?

  In IIS you can set the security mechanism down to the file level. Try turning off integrated Windows authentication for the jar files. This can be done in the IIS administrative tool by going to your virtual directory and right clicking the jar file and selecting 'Properties'.
  Gerald

• From CC&B, consume web service with Integrated Windows Authentication

  Most of the web services to be consumed from CC&B are exposed by external applications under Integrated Windows Authenticaton. Our CC&B 2.3 is running on Bea Weblogic on AIX 6.1.
  We need to find out, how CC&B can obtain a ticket (kerberos) in this context. Already checked documentation : XAI Best Practices, OUAF Framework Security Overview.Thanks.

  For the system to function properly you would need to configure both your Web Server and your Application (CC&B) Server. Since the authentication is done by your webLogic, you would first need to configure your Windows AD to recognise the WebLogic Server to accept the communication and transfer of tokens (TGS, TGT) betwen user,weblogic and AD.
  Kerberos authentication in a Microsoft AD enviroronment is dependant on a SPN (Service Principal Name). Therefore your Weglogic host must have a user account and enabled for Kerberos within your AD.
  The following link provides detailed steps for SSO for Weblogic (Windows & Unix) with AD
  [http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/sso.html]
  Secondly, since the authroization is done by your application server, you will need to import the user accounts using LDAP and configure their rghts.

• SQL Windows Authentication with Login of AD Group 'Domain Admins'

  Having a bit of a difficulty with Microsoft SQL Server 2012 windows authentication integration...
  The server is setup to have Windows authentication used as its means of login authentication. No issues with this other than a strange error that occurs on multiple SQL servers in our domain: 
  When a login is created for domain group "[domain]\Domain Admins", users within this AD group cannot connect to the SQL server through the Management Studio. The error that SQL server gives is Error 18456, Sate 11, i.e. "Valid login but server
  access failure"
  However when a different AD group is added as a login (like [domain]\[group]), users from this group can successfully log into SQL server. It seems that adding any other group, even groups from a different domain, grants successful authentication as I would
  expect EXCEPT the AD group 'Domain Admins".
  Is there some restriction/security feature at play here on this AD group that makes using the 'Domain Admins' group as a login not possible? 
  Andrew

  Yes, this group was removed and readded just yesterday to try to fix the issue.
  Here is the output of the command:
  class
  class_desc
  major_id
  minor_id
  grantee_principal_id
  grantor_principal_id
  type
  permission_name
  state
  state_desc
  105
  ENDPOINT
  2
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  3
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  4
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  5
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT