Is it possible to authenticate ActiveSync access with user certificates ?

I would like to authenticate Iphone users to access ActivSync services with a user certificates.
Exchange version is 2003 SP2
Front end is ISA Server 2006
I set up an internal PKI
I read in the Iphone Enterprise deployment guide the following:
Exchange ActiveSync Features Not Supported
Not all Exchange features are supported, including, for example:
Client certificate-based authentication
My question is: Is my configuration working ? If not, will it be supported in the future ? Is there a roadmap ?

It was easily possible with iPhone OS 2.x, but it seems has changed something for 3.0. See also http://discussions.apple.com/thread.jspa?messageID=9660201

Similar Messages

Project Server 2010 Web services access with Client Certificate Authentication

We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.

what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

C# Code example authenticate WAP API with management certificate ...

I want to authenticate access to a WAP API via a management certificate in C#.
anyone knows how this is posible?
thx,
Clemens
Clemens

Yes. This is very much possible. You need to hit the public tenant API with the certificate (in a development environment on 30006 port). Following snippet should help you.
static async Task RunAsync()
string request = String.Format("{0}/services/vhdservice/disks", subscriptionId);
HttpResponseMessage response = await httpClient.GetAsync(request);
if (response.IsSuccessStatusCode) {
var result = await response.Content.ReadAsStringAsync();
var X509Certificate2 = GetCertificateFromStore(...);
var handler = new WebRequestHandler();
handler.UseDefaultCredentials = false;
handler.ClientCertificates.Add(X509Certificate2);
httpClient = new HttpClient(handler);
string WAPURL = @"https://wapt01.twelabs.com:30006/";
httpClient.BaseAddress = new UriBuilder(WAPURL).Uri;
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
RunAsync().Wait();

Is it possible to authenticate the SAP GUI user against LDAP ( no SSO )

Hi
I was under the impression that you can user LDAP to authenticate your SAP GUI user . ( so users do not have to maintain and remember multiple passwords )..
However - note #603208 claims that this is not possible.
This is quite an old note , is this still true ?
note #793191 ( FAQ ) says :
9. Can I synchronize user passwords?
Response: No.
The password cannot be synchronized. For more information, see Note 603208.
and note #603208 says :
A comparison of the production password with a directory is not possible.
The following reasons are responsible for this:
The password is not stored in the plain text or in in "enciphered" form, neither in SAP Web Application Server nor in the directory, rather is is stored as a "hash value" that is calculated from the password that is entered. The function used for this is especially designed so that the password CANNOT be reconstructed from the hash value.
For technical reasons, the user master synchronization cannot therefore extract the plain text of the password and send this to another system.
The user's password has a size that is known only to the user. Even the system administrator and database administrator cannot obtain any information about the password.
A comparison in plain text form would violate this basic rule. For this reason, the use of a hash value is a generally applied standard.
Often the adjustment of passwords in several systems is equated with the term "Single Sign-On".
However, this term must only be applied if the user logs on once and this logon information is transferred within the system infrastructure.
The SAP Web Application Server supports real Single Sign-Ons (note 138498).

Please do not duplicate post!
See the other thread...

IOS 4.3 upgrade breaking ActiveSync profiles with client certificates

After upgrading iOS iPhones from 4.2 to 4.3 they are unable to authenticate to ActiveSync. The ActiveSync profiles on the phones have a client certificate associated with them and the ActiveSync server requires client certs for authentication. I am also unable to remove the profiles from the iphone that include the client cert/activesync profile.
Anyone else experiencing this problem. I am 3 for 3 so far, all three have the same issue. I have only been able to get around the issue by restoring a 4.2 backup which enabled me to remove the profiles and install new ones.

Hi all,
Apple have come back to us about the case we opened.
In our profile we have two payloads configured, the activesync payload (with a user certificate) and the credentials payload which has a user certificate and our enterprise root certs.
The Apple engineers are saying the issue is the user cert in the Credentials payload. Apparently in 4.3 they have made some changes here.
(when I say User cert I mean a certificate with a usage of client auth, and also in our case we have the users UPN in the subject line (or you can enter it as a SAN), so every user has a cert)
Apple say 4.3 upgrade should be Ok without this cert in the payload.
It will be tomorrow before I can test this.
But the thing is, we need that cert in there because we have extra security (cert auth) on some of our public mobile focused websites, i.e. the sites challenge for a certificate (and then challenge for credentials).
So we may have a work around (that requires new profiles loaded) but going forward we still need to see some sort of fix, i.e. no need to reload profiles (4.3.x ?).
I'll post here when I get more info ... and thanks to Jeremy at Apple for calling me yesterday and going through it, much appreciated.
Cheers,
Aengus

Is it possible to have read access to users 'my folders' / proxy problem

Hi,
is this possible to set up the security in such a way that an administrator has a read access to all the users folders? e.g to user's 'my folders' content?
if the only possibility is to take ownership and grant access, what are unwanted consequences of doing so?
we enocunter multiple issues with users using obi incorrectly, but cannot access their private ibots/reports/subscriptions;
or at least: how to copy the users folders into test so that we can see the content; with no access if copied the folders are empty;
thanks in advance for any suggestions
rgds
Edited by: UserMB on Jul 14, 2009 2:04 AM
Edited by: UserMB on Jul 14, 2009 2:10 AM
Edited by: UserMB on Aug 4, 2009 4:03 AM

up;
still having the problem to get the proxy functionality working
the setting I currently have is:
created the required table with proxies in db
adjusted instanceconfig -> added the message on max value 100
created a custom xml message to get the value/verify value/delegate users
created init blocks/variables for proxy, proxylevel, runas ('Empty' from dual)
granted the privilage proxy in presentation
we are using sso
weird thing is: even if i put in the custom message fixed values so that list of proxies/target users is fixed (i.e. instead '@USER' -> 'ADMINISTRATOR' ) it would not retrieve any values when I press 'Act as'
(error message: This functionality has not been enabled by your administrator)
id appreciate any suggestions
thx
rgds

AD Resource forest access with user from different forest

I am trying to access a AD resource forest using a user from a different forest.
The "different forest" is the main forest used to contain all user accounts etc. This domain is trusted by the resource forest (which contains things like outlook distribution lists etc) and so I am able to log into the resource forest (using ldp.exe or the mmc ad snap-ins) with my credentials from the main forest.
How can I replicate this in java?
I can connect directly to the user forest with simple authentication. But I can't do the same with the resource forest (as the user does not exist on it - it is merely trusted). Is there an authentication method that will allow me to do this?
In this organisation user accounts for the resource forest are not given out - you have to use one from the main user forest. So I have to find a work-around where I can connect with my current credentials.
Any ideas anyone?

Devid,
I am facing the same problem.
Did you get the solutions.
I am getting exception while calling "InitialDirContext"
"Problem searching directory: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece"

ITS access with users not defined as dialog users

Hello ,
We have a requirement so that the users accessing HR Machine are restricted and only few of them are defined as dialog users . For the users defined as comunication users in the R3 core , we are now installing ESS - MSS services .
The ITS is needed for reporting , and also is needed for PCR´s functionality . But the ITS is asking for dialog users .
Does anyone know how can we use system or communicatio users ¿? . Or where can we fix the problem .
Regards
Álvaro

Hi,
I have been running my Own test on this.
Any Screen Name on my G4 will show a Red Away Blob. In the Header ang where I have Some Accounts as Buddies in Other Buddy Lists.
This is also true if I log in with yet more Screen Names on my second computer.
I posted an Red Away message asking people to IM me if they could see it as Away.
In two days I had one reply form someone who saw it as Green.
If I set it to the Basic Away Setting the Message became Away but I showed as On Line and Available (Green).
I am currently testing having deleted com.apple.ichat.AIM.plist
You can try here
http://www.apple.com/feedback/ichat.html
There is no reply but enough people will produce a result over time (few days if there is a rush)
I will also make the Hosts aware via another Channel
8:31 PM Wednesday; July 1, 2009
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

SOAP Envelope with user id password

Hi Everyone,
I want to authenticate the sender with user id/password in soap envelope. Does anybody know the xml format for SAP PI7.11.
Regards
Inder

Ths for responding Baskar.
I already provided wsdl to them. They are still asking me about how can they can authenticate themseleve,
Even if i am using SSL, they still need to provide userid/pswd with appluser role to be able to send data to PI. Only thing with ssl will be that everything will be encrypted.
I dont want to switch off Basic authentication for all soap adapters. Can we switch off authentication for particular soap interface in enterprise repository.
Is it possible that when i use ssl certificate, Pi dnt ask for any user id or password. ?
Regards
Inder

Customer Credit Balance with user exit: LVKMPFZ1

Hi SD Gurus,
Is it possible to use exit:LVKMPFZ1 with USER 1 in transaction OVA8 to be able not to check credit limit when the customer has credit balance....If possible, please advise.
Thanks
Themba

Hi,
Good evening and greetings,
In the dunning procedure, FBMP transaction code click on the Dunning Levels and inside the dunning levels there is an option under the print parameter tab to print all items...Check that box and the system would include even the credit line items lying in the customer account and that can be printed out.
Please reward points if found useful
Thanking you
With kindest regards
Ramesh Padmanabhan

How can I configure radius to allow a non-windows device to authenticate with a certificate?

I currently have a 2008r2 server with NPS acting as a radius server for our wireless network. The existing rules are setup to allow access based on windows group membership. I need to get a wireless jetdirect connected to the wifi network.
If I create a certificate for this device with key usage settings for client auth / server auth, can it authenticate to radius with that cert?
How would I set up a NPS policy to allow this device, since it's not a domain member and not a member of the windows groups?

Hi there -
I asked the NPS team about this, and following is their response:
Yes, it’s possible but it’s a very manual process. I will give you the easy steps then the hard ones.
Easy(relative):
Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
Export the cert with the private key
Import on all workstations/devices that require it.
Pros:
Relatively easy to create the cert and manage the account
Cons:
Single certificate used on multiple machines
Certificate does not accurately reflect the name of the device
Hard:
Create an account in AD
Issue a certificate from a template that allows the private key to be exported
Using name mappings, attach the certificate to the account
Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com
Install certificate on to target workstation/device
Pros:
Relatively, more secure than previous steps as you create a single account/certificate pair per device
Cons:
Not very manageable
Thanks -
James McIllece

Configuring access with Certificate or AAA on ASA5520

Hi there!
I'm trying to configure a Cisco ASA 5520 to authenticate SSL VPN users via either certificate or local AAA, ie, normally the user will connect with a certificate but from time to time, users may forget their card at work and I would like to offer them an alternative way of logging via user and password.
When I try to configure this:
I access to Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > Basic
The device gives 3 authentication methods: AAA, certificate and both
The question is: Is there anyway of configuring certificate as the main authentication method and AAA as a backup method?
Thank you in advance

This will be possible in the future, currently the following bug will be affecting you
CSCef16611
WebVPN configured for both AAA and Certificate Auth only does certs
Symptom:
If WebVPN authentication is configured for both AAA and certificates in the tunnel-group, only certificate authentication takes place.
Conditions:
WebVPN authentication is configured for both AAA and certificates.
Workaround:
None availble. Currently WebVPN auhenticaiton is by AAA or Certificates, and not both simultaneously.
It will always take CERT if both are configured.

Is it possible to have 2 tables with the same name in an Orable database?

Hello,
I'm a complete Oracle newbie so please excuse my question if it's stupid.
I was trying to create 2 tables with the same name using different tablespaces but it does not seem to work. Like this (second time just change the name of the tablespace):
CREATE TABLE test_tbl (
id INTEGER,
status VARCHAR2(10),
last_modified DATE DEFAULT SYSDATE
TABLESPACE tblspc1Is it in general in Oracle possible to acquire this goal?
Thanks a lot!
P.S. I have already created the needed tablespaces
CREATE TABLESPACE tblspc1 DATAFILE 'tblspc1.dbf' SIZE 10MEdited by: 808239 on 02-Mar-2011 02:18

It is not possible to create two tables with same name in same schema.
A user can own one schema with his own name and another with the schema name SYS.
For this you have to grant sysdba privilage to the user and then have to connect using sys password or with the password specified in password file.
But this still you have to access to the table in sys schema using sys.table_name.
Hope Answered tthe Question.

Guest Access with Inter-vlan Mobility

I have a setup as follows
Two datacenters each with one wlc5500, one guest access server and one internet circuit with firewall.
LWAPs connect to the data centres over a WAN.
Each LWAP has two SSIDs one guest with web auth and one private with 802.1x.
Site1 has 40 APs and site2 has 10 APs.
The best scenario would be to have 30 APs on each controller but this means that there would be a mix of APs centrally switched on different VLANs for the guest wlan.
Is there any way to anchor clients that intially associate to WLC1 so that if they roam on to WLC2 they keep the same IP address from datacentre 1. Similarly those that associate to WLC2 keep their IP from datacentre 2 if they roam to WLC1. Finally if either WLC1 or WLC2 fail then all clients re-associate to the active WLC at one DC. All the config guides so far only depict one internet circuit so I can't work out if this is possible yet. So far with both WLCs active the client changes address as they roam to the other WLC.
I would like to avoid creating a L2 link beween DCs if possible

Thanks for looking
(Cisco Controller) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... guest
Network Name (SSID).............................. GUEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
NAC-State...................................... Disabled
Quarantine VLAN................................ 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ guest-vlan
WLAN ACL......................................... unconfigured
DHCP Server...................................... 10.18.227.10
DHCP Address Assignment Required................. Enabled
--More-- or (q)uit
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
--More-- or (q)uit
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
--More-- or (q)uit
Mobility Anchor List
WLAN ID IP Address Status
(Cisco Controller) >?
(Cisco Controller) >show wln 3
Incorrect usage. Use the '?' or key to list commands.
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... guest
Network Name (SSID).............................. GUEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
NAC-State...................................... Disabled
Quarantine VLAN................................ 0
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ guest-vlan
WLAN ACL......................................... unconfigured
DHCP Server...................................... 10.253.128.10
DHCP Address Assignment Required................. Enabled
--More-- or (q)uit
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
--More-- or (q)uit
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
--More-- or (q)uit
Mobility Anchor List
WLAN ID IP Address Status
(Cisco Controller) >?

Excel or Access with Lingo

I would like to know if there is any possibility to use the
Director with an Excel or Access Database. I mean, can you read
some data from the Excel or Access, modify them from Lingo and so
on?

Excel sample:
http://www.xtramania.com/Documentation/VbScriptXtra/Samples/MSExcel/
ADO sample:
http://www.xtramania.com/Documentation/VbScriptXtra/Samples/ADO/

Is it possible to authenticate ActiveSync access with user certificates ?

Similar Messages

Maybe you are looking for