Ip http authentication aaa login-authentication doesnt work

I have "ip tacacs source-interface Vlan1 " in my config because without it enabled I cant ssh in with tacacs. However, with that line in the config, I cant access via https unless I have the line "ip http authentication local"

For http access , the user should have privilege level 15. This is how you enable it on acs.
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts

Similar Messages

Basic http authentication not working when consuming Web Service in BPEL.

Hi,
I am consuming an AXIS Web Service from BPEL 10.1.3. The Web Service uses basic http
authentication so we need a way to get username and password into the http
header. In the Oracle BPEL Process Manager Administrator's Guide 10g
(10.1.3.1.0) section 1.3.4.1 HTTP Basic Authentication (10.1.2.0.2) is stated
that this can be done using the properties httpUsername and httpPassword. I
have set the 2 for the partner link in bpel.xml but username and password does
not get in to the http header. Has anybody got an idea?
Regards Pete

I'm having the same sorts of problems with 10.1.3.1.0. I've got a deployed BPEL suitcase that's trying to hit a BASIC AUTH-secured web service running on a WebLogic 8.1 server. I've set up my partner link according to the documentation, and the BPEL console Descriptor tab even shows the parameters correctly:
partnerLinkBindings
client
 wsdlLocation awardService.wsdl
spsAwardSubmitPartnerLink
 basicHeaders credentials
 basicUsername ko1
 basicPassword xxxxx
 wsdlLocation IAwardDraftServiceRef1.wsdl
However, when I funnel the resultant call to the endpoint specified in IAwardDraftServiceRef1.wsdl, none of the fields I would expect show up in the HTTP header:
POST /pd2WebServices/service/IAwardDraftService HTTP/1.1
Host: vm-orcl-app-srv:4444
Connection: Keep-Alive, TE
TE: trailers, deflate, gzip, compress
User-Agent: Oracle HTTPClient Version 10h
SOAPAction: ""
Accept-Encoding: gzip, x-gzip, compress, x-compress
Content-type: text/xml; charset=UTF-8
Content-length: 3800
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Body><IAwardDraftSubmitNew xmlns="http://www.caci.com/pd2/pub">
<IAwardDraft>
<accessController/>
<agreementEndDate/>
Is there some other configuration piece I'm missing?? I've tried the other variation using httpBasicHeaders, with the same results. I even noted that the "Oracle® BPEL Process Manager Administrator's Guide" says that "Starting with Oracle BPEL Process Manager release 10.1.3, all partner link properties are automatically propagated into the HTTP header." I've tried putting "extra" parms in the partner link bindings, but they don't show up either.
What am I missing??
Thanks,
Mike

Client authentication doesnt work between 1.0.3 and 1.4

Hi!
Has anyone else experienced the following problem?
I programmed an client-server-application using an SSL connection.
It works well if client and server run on the same java version (JRE 1.3
with JSSE 1.0.3 or JRE 1.4). It also works well when server is running on
JRE 1.4 and client on 1.3 with 1.0.3.
But when I run the client with JRE 1.4 and the server with JDK 1.3 and JSSE
1.0.3 the connection fails with the following exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Studiing the SSL debug outputs it occured to me that the client did not send
his certificate as he was supposed to be because setNeedClientAuth was set
to true.
So i set NeedClientAuth to false and everything worked OK.
Any ideas about how I can get client authentication working?
If debug output is useful I will post it too.
Thanks in advance.
CU, Florian

Hi!
The described behaviour only shows up with Version 1.4.1 and 1.4.1_01. No problems with 1.4.0_03.
Seems to be a bug in 1.4.1.
CU, Florian

Header Variable login module doesnt work --- NW7.3

Hello gurus,
i have added HeaderVariableLoginModule through NWA tool in NW 7.3. In the components tab of http://hostname:port/nwa/auth
i have includer the this login module for the ticket template. I changed the authschemes.xml file as below
<document>
<authschemes>

<authscheme name="uidpwdlogon">

<authentication-template>
ticket
</authentication-template>
<priority>20</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme name="certlogon">
<authentication-template>
client_cert
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme name="basicauthentication">
<authentication-template>
ticket
</authentication-template>
<priority>20</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
</authscheme>
<authscheme name="header">
<authentication-template>ticket</authentication-template>
<loginmodule>
<loginModuleName>com.sap.security.core.logon.imp.HeaderVariableLoginModule</loginModuleName>
<controlFlag>REQUISITE</controlFlag>
<options>Header=REMOTE_USER</options>
</loginmodule>
<priority>5</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
</authscheme>

<authscheme name="anonymous">
<priority>-1</priority>
</authscheme>
</authschemes>

<authscheme-refs>
<authscheme-ref name="default">
<authscheme>header</authscheme>
</authscheme-ref>
<authscheme-ref name="UserAdminScheme">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
</authscheme-refs>
</document>
after doing i uploaded the authschemes.xml file and restarted the server.
but when i try to access the portal it indicating the below error in NWA tool.
Deprecated scope of type SERVERSESSION_AT_LEAST_ONE_APP_SCOPE is used! Please replace the usage of scopes with new mechanism based on "Cross application session communication API
Except the portal everything is working fine......
can you please provide suggestions ....
Thanks

Did you add the login module, for NW 7.3 it is not preconfigured. Have a look at this thread: adding a login module in NW 7.3
Cheers Michael

SSO using WEBGUI (through ITS) to backend R/3 doesnt work

Hello All,
We are using NW04 SP14 and trying to achieve SSO through login tickets to backend R/3 System (4.7).
So far I got it right through WIN GUI but through WEB GUI it doesnt work.
We did set ~mysapcomusesso2cookie = 1; ~login and ~password as empty in the global.srvc file on the ITS server.
When I use the WEB GUI, it shows me the ITS Login page asking for Login and password.
I also checked the cookie by using "javascript:document.cookie", this is what i got:
"saplb_*=(J2EE4017100)4017150; PortalAlias=portal; JSESSIONID=(J2EE4017100)ID0757548650DB10548473283783783936End; MYSAPSSO2=AjExMDAgAA5wb3J0YWw6d2RheWFuZIgAE2Jhc2ljYXV0aGVudGljYXRpb24BAAdXREFZQU5EAgADMDAwAwADRU5QBAAMMjAwNjAxMTgxNzQxBQAEAAAACAoAB1dEQVlBTkT%2FAPUwgfIGCSqGSIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHBMIG%2BAgEBMBMwDjEMMAoGA1UEAxMDRU5QAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjAxMTgxNzQxMzZaMCMGCSqGSIb3DQEJBDEWBBQtYG1bqNgV1TVHdWuzdb%2FGA%2BVV4TAJBgcqhkjOOAQDBC8wLQIVANL17BTacNfsQ8TEbLaBIVBvR2EiAhQPfWyw2s8lAX2qVgEq7%2BHrVpsmSw%3D%3D"
This shows that cookie is being generated by Portal.
These are the entries in the global.srvc file:
~appserver server5 (R/3)
~clientcert 1
~cookies 1
~disconnectonclose 1
~dontshowaccessibilityonlogin 1
~ewt_statichelp 1
~exiturl
~hostsecure serverits
~hostunsecure serverits
~language EN
~languages EN
~login
~logingroup
~messageserver
~multiinstanceservices 1
~password
~portsecure 443
~portunsecure 80
~routestring
~runtimemode dm
~systemname DEV
~systemnumber 00
~theme 99
~timeout 15
~urlarchive /scripts/sapawl.dll
~urlimage /sap/its/graphics
~urlmime /sap/its/mimes
~usertimeout 1
~xgateway sapdiag
~xgateways sapxgadm,sapdiag,sapxgwfc,sapxginet,sapextauth
~mysapcomusesso2cookie 1
Can you guyz guide me to get this done ?
Thanks in advance.

I got it. I accessed the portal by using:
http://myportal.companyname.com:50000/irj and it started working. But when i use http://myportal:50000/irj it doesnt work.
So in future do I need to use http://myportal.companyname.com:50000/irj to access the portal?
Can someone tell me the reason why it does it ?

Tacacs user authentication not working

I am trying to setup my AP to use tacacs+ running on Cisco ACS to authenticate users logging into the AP with no success.
Here is the AP config. At the end of the config you can see the debugs that are running and the output of those when I try to login to the unit with the web browser.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap1250
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa group server tacacs+ tac_admin
server 192.168.1.25
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local cache tac_admin group tac_admin
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local cache tac_admin group tac_admin
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
aaa session-id common
power inline negotiation prestandard source
username seth privilege 15 password 7 02050D480809
username Cisco privilege 15 password 7 072C285F4D06
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.1.60 255.255.255.0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
tacacs-server host 192.168.1.25 port 49 key 7 00071A150754
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap1250# sho debug
General OS:
TACACS+ authentication debugging is on
TACACS+ authorization debugging is on
AAA Authentication debugging is on
ap1250#
*Mar 1 00:25:56.239: AAA/BIND(00000024): Bind i/f
*Mar 1 00:25:56.243: AAA/AUTHEN/LOGIN (00000024): Pick method list 'default'

The radio's are shut down as I do not have an SSID configured on the unit either at this time. I was merely trying to get the setup for login authentication.
I did also have a local user name and password defined but was unable to use that login either.
I tried the config on another AP and got it to work by changing the statement to read
aaa authentication login default local group tac_admin
This was done by not checking the box for caching.
Seth

How do we determine the HTTP authentication header for our hosted solution?

How do we determine the HTTP authentication header (adobeconnect_admin_httpauth) from our hosted solution? The documentation says to find it in a custom.ini file but I have no clue how to access that.
I need to supply that to the adobeconnect plugin used with a Moodle instance, screnshot below.
If it helps, when I click "Test Connection", I see the following output.
A series of tests have been run in order to determine whether the Adobe Connect Pro server has been properly setup for this integration to work and to also determine whether the user credentials provided in the activity global settings has the correct permissions to perform the neccessary tasks required by the activity module. If any of the tests below have failed, this activity module will not function properly.
For further assistance and documentation in how to set up your Adobe Connect Pro server please consult the MoodleDocs help page for this activity module Help page
Sending common-info call:
successfully obtained the session key: na11breezrirhb4f4ryf5shqy
successfully logged in as admin user
Testing retrevial of shared content, recording and meeting folders:
error obtaining shared content folder
XML request:
<?xml version="1.0" encoding="UTF-8"?> <params><param name="action">sco-shortcuts</param></params>
XML response:
<?xml version="1.0" encoding="utf-8"?> <results><status code="no-access" subcode="no-login"/></results>
error obtaining forced-archives (meeting recordings) folder
XML request:
<?xml version="1.0" encoding="UTF-8"?> <params><param name="action">sco-shortcuts</param></params>
XML response:
<?xml version="1.0" encoding="utf-8"?> <results><status code="no-access" subcode="no-login"/></results>
error obtaining meetings folder
XML request:
<?xml version="1.0" encoding="UTF-8"?> <params><param name="action">sco-shortcuts</param></params>
XML response:
<?xml version="1.0" encoding="utf-8"?> <results><status code="no-access" subcode="no-login"/></results>
error creating meeting testmeetingtest folder
XML request:
<?xml version="1.0" encoding="UTF-8"?> <params><param name="action">sco-update</param><param name="type">meeting</param><param name="name">testmeetingtest</param><param name="folder-id"/><param name="date-begin">2015-03-14T06:53:39.000+00:00</param><param name="date-end">2015-03-14T07:53:39.000+00:00</param></params>
XML response:
<?xml version="1.0" encoding="utf-8"?> <results><status code="invalid"><invalid field="folder-id" type="id" subcode="format"/></status></results>
error creating user testusertest
XML request:
<?xml version="1.0" encoding="UTF-8"?> <params><param name="action">principal-update</param><param name="first-name">testusertest</param><param name="last-name">testusertest</param><param name="login">[email protected]</param><param name="password">9B396EA828A00203FB3E8E69010FE537</param><param name="extlogin">[email protected]</param><param name="type">user</param><param name="send-email">false</param><param name="has-children">0</param><param name="email">[email protected]</param></params>
XML response:
<?xml version="1.0" encoding="utf-8"?> <results><status code="no-access" subcode="no-login"/></results>
What are we missing?
Thanks!

Here is the docuementation for loging in with an HTTP Headder Adobe Connect 9 * Log in from an application
Seeing as there may be some modification to files on the server, you may need to work with Adobe Support to see if they can be modified in the Hosted environment.Adobe Connect Help | Adobe Connect Support

Internationalizing Basic HTTP authentication browser dialog for UserID

Is it possible to have multibyte user ID for Basic HTTP authentication? Based on RFC2617 user ID has to be *Text, which basically is ASCII. But I thought maybe someone has a workaround for this limitation. Our entire web app is internationalized, we use UTF-8 as encoding for JPS pages and request processing, and that all works fine, but there is one area where we use Basic HTTP authentication, and so far I was not able to find a way to internatianalize that. Once the resource is reqested, we process request in the servlet and if the user is not authenticated we send authentication challenge response to the browser. Response encoding is set to UTF-8. After user enters the credentials, I process those in the same servlet , again using UTF-8. Of course when I tried to input the japanese ( multibyte)userID, the authentication is failing. I think the browser is corrupting DBCS data once it Base64 encodes it... Does anyone have ideas whether it is possible to internationalize this at all?

You'll probably need your own ServletFilter to process the authentication header, since servers will mostly decode headers in the locale encoding, regardless of any charset in the Content-type header of the request. Getting browsers to use UTF-8 encoding before base64 might be a bit tricky though.
It is probably better to use form based login. The procedure for getting UTF-8 encoded form parameters is a well understood FAQ for this forum.

HTTP Authentication problem

http authentication giving some errors, portion of oracle authentication working fine. Please help me.
Error is:
Warning: Cannot modify header information - headers already sent by (output started at d:\inetpub\wwwroot\vars.php:5) in
d:\inetpub\wwwroot\login.php on line 4
Warning: Cannot modify header information - headers already sent by (output started at d:\inetpub\wwwroot\vars.php:5) in
d:\inetpub\wwwroot\login.php on line 5
My softwares are:
PHP: 4.3.4
OS: Windows 2000 Server
Oracle 8i client;
Code is:
-------------------- login.php ------------------------
<?include"vars.php";?>
<?php
function authenticate() {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
exit();
if(!isset($PHP_AUTH_USER)) {
authenticate();
echo "Authorization Failed.";
exit;
}else {
$dbconn=ocilogon($dbUser,$dbPass,$dbName);
$parsed=ociparse($dbconn,"select username from users where username='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'");
ociexecute($parsed);
$nrows = ocifetchstatement($parsed, $results);
if ($nrows == 0) {
authenticate();
else {
for ($i = 0; $i < $nrows; $i++)
setcookie("USERID", $results["USERNAME"][$i]);
$UserID = $results["USERNAME"][$i];
?>
------------------- vars.php ----------------------
<?php
$dbUser="scott";
$dbPass="tiger";
$dbName="db";
?>

Is there any extra whitespace outside the <?php ?> tags?
It might be treated as HTML text and cause the default
header to be sent before authenticate() is called.
There is something similar mentioned in this thread:
Re: fetching blob results in "Call to a member function on a non-object "
-- CJ

HTTP authentication via ACS TACACS+.

Hi.
I configure a router for tacacs+ access and the console and CLI work fine.
HTTP access continually prompts for password and I can never gain access via web.
I have tried the various cli combinations of IP HTTP AUTHENTICATION, but still does not seem to work with tacacs+.
Debug authentication and authorization are ok (PASS)!
Any suggestions??
Thanks.
Andrea.

Hi Andrea,
Make sure that you have privilege level 15, for your account, as telnet can work without it, but for http its a must.
You can configure it for Group, under whihc you have your user account or per user basis too.
Select group > Edit Settings > TACACS+ section
Check "Shell" and "Privilege level" and in box in front of privilege level, put number "15".
Also if you have configured enable authentication via TACACS+ ,amake sure under your user account you have selected "Use CiscoSecure..." option under TACACS+ enable password if you have your account configured on ACS, of select other as appropriate.
Let me know if it helps :)
I suppose you have "ip http authentiaction aaa" command configured.

Upgrade 10.3 to 10.4: Kerberos authentication stopped working

Hello:
I upgraded a G5 XServe from 10.3.9 to 10.4. It almost worked - ie: system booted again, all disks are visible, etc. But, trying to log on with a user in the OD hosted on that machine has stopped working... this happens when I try to mount a shared AFP volume, and also when logging on from a 10.4.8 client bound in Directory Access to that server. Logging on under the admin account at the console (over ARD in this case), or via ssh, works fine. I didn't think to try other accounts via that method, I will do this tomorrow morning local time and post a followup.
Upon connecting to the server with Server Admin, a message told me that there were new services which needed kerberizing, and to go to Open Directory and click 'settings'. I did this, and also looked at the overview: netinfod was in local-only mode, while all the others were marked as "Running" (lookupd, slapd, Password Server, Kerberos). In the old 10.3.9 system (ie: where user authentication is working OK), all are marked as "Running".
I clicked the "Kerberize" button, and entered a directory admin username and password as instructed. I think the process completed (unfortunately I didn't get a screenshot). Now, the kerberize button is gone.
At various times when admin passwords were requested, I have to try several; the expected ones didn't always work. Eg: I thought the "diradmin" account was needed in one dialog, but I used the system "admin" account instead. (Sorry, didn't record proper details of those events).
Forward and reverse DNS lookups with the host command work ok - they return the expected IP address.
I looked through a bunch of logs (/var/log/*.log, /Library/Logs/.../*.log), and found a few lines with possible clues... these are shown further down.
I have now tried updating to 10.4.8 (I'm not sure if I should have done it before kerberos was going again, but getting the system up to date does seem prudent). Errors are all exactly the same.
Any hints or suggestions much appreciated! Here's some promising things I've found, which I'll be studying today. I hope to take the server down tomorrow morning again to try this stuff out...
http://lists.apple.com/archives/macos-x-server/2006/Feb/msg01152.html
http://lists.apple.com/archives/Client-management/2006/Sep/msg00013.html
Thanks,
Ralph
/var/log/system.log:
Mar 10 15:18:37 tararuas krb5kdc[84]: no sockets set up?
AppleFileServiceAccess.log:
IP 130.195.240.52 - - [10/Mar/2007:15:15:15 1200] "Logout test333" -5023 0 0
IP 130.195.240.52 - - [10/Mar/2007:15:24:30 1200] "Logout ralphwahrlich" -5023 0 0
FWIW, the AFP Reference gives error -5023 meaning thus: "UAM failed (the specified old password doesn’t match); no user is logged in yet for the specified session; authentication failed; password is incorrect."
From slapconfig.log (slightly edited for brevity):
slapconfig.log:
2007-03-10 14:51:52 +1300 - slapconfig -migrateldapserver
2007-03-10 14:51:52 +1300 - 1 Removing LDAP server from search policy
2007-03-10 14:51:52 +1300 - 2 Data export
2007-03-10 14:51:52 +1300 - command: /usr/sbin/oldslapcat -c -l /var/db/openldap/migration/backup.ldif
2007-03-10 14:51:53 +1300 - Removed file at path /var/db/openldap/openldap-data/__db.001.
2007-03-10 14:51:53 +1300 - Removed file at path /var/db/openldap/openldap-slurp/replication.log.lock.
2007-03-10 14:51:53 +1300 - command: /usr/sbin/NeST -pwsrekey
2007-03-10 14:51:55 +1300 - NeST command output:
nothing found to load
2007-03-10 14:51:55 +1300 - 3 Data import
2007-03-10 14:51:55 +1300 - command: /usr/sbin/slapadd -c -l /tmp/backup11774.ldif
2007-03-10 14:51:58 +1300 - 4 Updating LDAP configuration
2007-03-10 14:51:59 +1300 - Starting LDAP server (slapd)
2007-03-10 14:52:22 +1300 - 5 Updating data in LDAP
2007-03-10 14:52:22 +1300 - command: /usr/bin/ldapdelete -c -x -H ldapi://%2Fvar%2Frun%2Fldapi cn=ldapreplicas,cn=config,dc=geo,dc=vuw,dc=ac,dc=nz cn=passwordserver,cn=config,dc=geo,dc=vuw,dc=ac,dc=nz cn=passwordserver_4AB32E0671171DC872A9D40CC42F9E07,cn=config,dc=geo,dc=vuw,dc=a c,dc=nz
2007-03-10 14:52:22 +1300 - ldapdelete command output:
ldap_bind: Can't contact LDAP server (-1)
2007-03-10 14:52:22 +1300 - ldapdelete command failed with status 1
2007-03-10 14:52:22 +1300 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-03-10 15:03:55 +1300 - slapconfig -setmacosxodpolicy
2007-03-10 15:03:55 +1300 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-03-10 15:03:55 +1300 - ldapadd command output:
ldap_modify: No such object (32)
matched DN: cn=config,dc=geo,dc=vuw,dc=ac,dc=nz
2007-03-10 15:03:55 +1300 - ldapadd command failed with status 32
2007-03-10 15:04:13 +1300 - slapconfig -kerberize
2007-03-10 15:04:13 +1300 - Error: Incorrect username or password. You must enter a directory domain administrator username and password.
2007-03-10 15:05:25 +1300 - slapconfig -setmacosxodpolicy
2007-03-10 15:05:25 +1300 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-03-10 15:05:25 +1300 - ldapadd command output:
ldap_modify: No such object (32)
matched DN: cn=config,dc=geo,dc=vuw,dc=ac,dc=nz
2007-03-10 15:05:25 +1300 - ldapadd command failed with status 32
2007-03-10 15:05:38 +1300 - slapconfig -kerberize
2007-03-10 15:05:38 +1300 - Error: Incorrect username or password. You must enter a directory domain administrator username and password.
2007-03-10 15:05:44 +1300 - slapconfig -kerberize
2007-03-10 15:05:45 +1300 - Removed directory at path /var/db/krb5kdc.
2007-03-10 15:05:45 +1300 - command: /sbin/kerberosautoconfig -r GEO.VUW.AC.NZ -m tararuas.geo.vuw.ac.nz -u -v 1
2007-03-10 15:05:45 +1300 - kerberosautoconfig command failed with exception launch path not accessible
2007-03-10 15:05:45 +1300 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a admin -p ** -v 1 GEO.VUW.AC.NZ
2007-03-10 15:05:47 +1300 - kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for [email protected]; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
AddKDCToConfig: KDC is already present in record
Finished
2007-03-10 15:05:47 +1300 - command: /usr/sbin/mkpassdb -kerberize
Mac Mini G4 1.25GHz Mac OS X (10.4.8)

Thanks heaps for your reply
Yes, I did indeed use CDs.
I followed the instructions at http://docs.info.apple.com/article.html?artnum=301909-en , but struck problems...
Step 16:
here's what I got after pressing CTRL-D:
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
I thought I'd press ahead anyway... and struck the next problem:
Step 18:
here's what I got when attempting to add a record in /AccessControls.. a dialog box that said this:
Record type not mapped
The record with type "AccessControls" is not mapped. Your should report this error to the administrator of your directory server.
I found the following:
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c7od31.html
step 8 on that page, bullet point starting with "To add a mapping for a record type ..." seems what I want, but have no idea which object class name to use.
Not sure where to go next. I'm somewhat inclined to blow away the OD database, and rebuild it from a backup. I would do this...
On the 10.3.9 system:
- export the OD from WGM
Go into 10.4.8, and:
- in Server Admin, change OD to be standalone only
- reboot
- go back to Server Admin, change OD to be a OD master
- import the records exported from the 10.3.9 system
I will post another update tommorrow.

Issue with HTTP Authentication

I am trying to implement an authentication/timeout
          system whereby the initial login is done by a standard
          HTML form (posted). When the session times out and the
          user requests a service, the session is "revived" by
          custom HTTP Authentication. In this way, a complex set
          of frames and multiple windows is not disrupted by a
          new window.
          The problem is that one a user HTTP Authenticates, the
          AUTHORIZATION header value stays until the browser is
          closed. Consequently, the user never has to
          authenticate again, even when the session times out,
          because when the servlet requests authorization, it is
          right there in the servlet request.
          So my question is, how do I clear or remove the
          AUTHORIZATION header item from the client ?
          Thanks.
          //Nicholas


Hi,
Opened a TAC and he confirmed that 8.2.1 supports the SDI for http/asdm authentication.
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp340497
Regards
Amar

[svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

Adobe PDF Viewer X in Safari 5 not displaying documents protected by HTTP Authentication

I have the latest Adobe Reader X release (10.0.0) for Mac OS X 10.6 in Safari 5.0.3. The PDF Viewer is unable to display files hosted on directories protected by HTTP Authentication. The progress bar keeps spinning forever.
I've tried it on several Macs and various Apache web servers, with both Basic and Digest Authentification.
Adobe PDF Viewer running on Mac OS X 10.5 doesn't have this problem. Adobe PDF Viewer X running on Windows XP with Safari 5 doesn't either. So it is specific to the latest release for Mac OS X 10.6.
Any idea for a fix? I can't revert to a previous version of Reader since the older plug-in doesn't run in 64-bit Safari (the default on Snow Leopard) - please don't tell me to force Safari to run in 32-bit mode.
Is it at least a known bug that will be fixed soon?

You mean disabling HTTP Authentication? Yes, of course. And it works without it. That's how I know that the cause of the problem is HTTP Authentication.

Video behind http authentication does not play in Safari on iOS8.

Videos (quicktime and probably others) that are sitting behind http authenticated sites do not play properly in IOS8. This is true even with the new 8.0.2. When clicking on the mov file, Safari starts the integrated player (the player with the play button), but nothing plays and you can't press the play button.
Since I have access to the Apache web server that serves up the video, I can see what's happening on the backend. I see that Safari or the iOS video player Safari starts up fails to pass the authentication credentials to the server. I see a bunch of http 401 error messages (failed authentication) in the logs. When moving the same video to a not authenticated site, iOS8 does the right thing.
iOS7 (and before) and Safari on OSX does the right thing on authenticated sites. It authenticates properly with the server and plays the video.
Chrome on iOS8 also doesn't work either. Safari and Chrome use different versions of webkit, so I'm assuming its the video player that the browsers call on that's not passing the authentication off to the web server when making the http request.
Anyone else run into this problem or have a workaround? I reported this as a bug, but Apple hasn't acknowledged it yet.

I also have the same Exact Problem, only your explanition appears more technical and understandable. This problem appears more severe on YouTube.com videos and alike, however it is also severly choppy and problematic on other sites. Surprisingly Live Broadcast videos work better than not Live videos, however this is not something I'd like when my data isn't throttled yet. I crosstested it to see if there is any issues on my iPhone 4S (iOS 6, last version) and Galaxy S4 (Android Kit Kat, last version on S4) and there is no issues on those devices so it is an iOS 8(+0.1/0.2) and iOS 8.1 problem and I am 100% confident about it.
I do think it is the video player's problem with Websites and Webstreaming. There is no problems playing music videos on my device's storage. I didn't get that many error messages but it just doesn't play properly on Safari and Chrome, like what you are experiencing too. I may go ahead and report it too because it is gotten to a point where it is annoying to watch videos. It is not just an over 4G (+ or - LTE) only issue, it is also via Wifi even so it is a tad better. I can't tolerate playing a video 15 seconds in, have to wait 15 more seconds for it to play, it plays to 0:35 then I have to wait 15 more seconds. Even a 240p video, it does it so, it is clearly not a tolerable bug. I don't have a work around so far (tried everything from reset to wipe the phone and reinstall all the apps).
My Device is an iPhone 6+ with iOS 8.1 (yes, it is not just exclusive to the iPhone 5S. I assume it also effects the iPhone 6 based on technical specifications).

Ip http authentication aaa login-authentication doesnt work

Similar Messages

Maybe you are looking for