Is Policy Agent2.1 for Sun WebServer6.1 on Windows developed with C?

Environment:
Access Manager,Sun Application Server,Sun Directory Server (all from JES05Q1) on Solaris10
Sun WebServer 6.1, Policy Agent2.1 (SJS_WebServer_6.1_agent_2.1_windows2003) on Windows 2000 Server
I installed all these softwares and configured them successfully.
I can access a sample application(logon.war,which deployed on Application Server) with AM authentication.
Then I deployed logon.war to Sun Web Server on Win2k, but failed to start server.
I reviewed log file ("error") of Web Server 6.1, it said:
================================================================
[06/Apr/2006:18:17:54] info ( 2424): WEB0100: Loading web module in virtual server [https-done.tong.com] at [logon]
[06/Apr/2006:18:17:55] info ( 2424): WEB0100: Loading web module in virtual server [https-done.tong.com] at [search]
[06/Apr/2006:18:18:01] failure ( 2424): WebModule[logon]: WEB2680: Exception starting filter Agent
java.lang.ClassNotFoundException: com.sun.identity.agents.filter.AmAgentFilter
     at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1463)
     at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1299)
     at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:260)
     at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
     at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:120)
     at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3248)
     at org.apache.catalina.core.StandardContext.start(StandardContext.java:3724)
     at com.iplanet.ias.web.WebModule.start(WebModule.java:238)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
     at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
     at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
     at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
     at com.iplanet.ias.web.WebContainer.start(WebContainer.java:411)
     at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:506)
     at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[06/Apr/2006:18:18:01] failure ( 2424): WebModule[logon]: WEB2705: Context startup failed due to previous errors
================================================================
It said that Web Server can't find AmAgentFilter class.
So I searched .jar or .class files under directory of Policy Agent 2.1 on Win2k but found nothing.
There is only .dll and .lib files and it looks like that this policy agent is developed with C,not JAVA.
Meanwhile I searched under directory of Policy Agent for Sun Application Server on Solaris10 and found am_agent_filter_2_1.jar which contained "com.sun.identity.agents.filter.AmAgentFilter".
So where can I find a .jar which contains "com.sun.identity.agents.filter.AmAgentFilter" if policy agent 2.1 is developed with C?
Or I misunderstood something from the very beginning?

BTW com.sun.identity.agents.filter.AmAgentFilter is in am_agent_filter_2_1.jar file which is placed in the lib direcotry of the installed agent.
--Amit

Similar Messages

Proxy details keep deleting from field in Group Policy Preferences for IE 10 on windows 7 and 8

We have a lot of users who on the last update and have seemed to manage to install IE 10 onto their windows 7 machines as now causing all sorts of issues. I know that IEM has been replaced in favour of Group Policy Preferences and I have build a windows
8 machine just to create a group policy preference as you are unable to create the preferences from windows 7, thank you Microsoft!
I have created a test OU and got a win 7 and a win 8 machine both with IE 10 for testing. I have created the preference settings, home page etc and disabled using the F keys the advanced features that we do not require as from reading in other post even
if it is not ticked, if it is green then it will apply it, kinda defeats the using the tick but it is what it is!
When we do a gpupdate it picks up the default homepage as well as other settings but the proxy settings is blank. I then went back into the preferences I created for IE 10 and checked the connections, LAN settings and the proxy server name is missing but
both ticks are showing for the proxy settings and when you click on advanced it shows the proxy server and port details fine. I have been working on this now for 4 days and getting no where to a point were we just roll back any users on IE 10 back to IE 9.
I have also unlinked any other gpo relating to Internet settings on the test OU just in case there are conflicts. Any ideas as where to go from here?

In the end to get around the proxy settings I had to create a registry key preference with proxy and port details which seemed to have done the trick and now IE 10 is picking up the proxy details and displaying webpages

For those who run Windows 8 with bootcamp: Do you update windows 8, with windows update? I have the latest bootcamp drivers, and never checked for updates on windows. Do you normally update windows 8?

Windows 8 has been running very well after installing it with bootcamp and its latest drivers.
I just have never updated Windows 8 itself, (windows has never checked for updates), and just has been
using it bare. Do you update windows 8 to the latest updates with windows 8, and have any problems
with the updates? Just curious before I start updating it for once.

You have to update Windows to the latest version with Windows Update and keep it updated, because this is a matter of security. Microsoft provides a lot of security updates and you have to install them even if you have got an antivirus. Then you can find other updates, and if you want to install Windows 8.1, just install all updates with Windows Update, and then go to the Windows Store and download Windows 8.1.
Apple says that Windows 8.1 is not supported by Boot Camp, but people say it works without any problem with the most recent drivers, so I do not find any risk after upgrading to Windows 8.1.

Need to Deploy Distribution Points for 700 Offices on Windows 7 Systems with 128kbps of Bandwidth

Hello Everyone,
Need to deploy Distribution Points for 700 sites on windows 7 with 128kbps of link.During Office hours DP fails as entire 128 kbps of link is utilized.During non business hours it gets succeeded.
Setup for SCCM 2012-
1 Primary Server at DC
Secondary Server @ HO
100 DP's already created on link of 128 Kbps
Is there any option of creating Offline DP's in 2012......
How can I fastern the Process of DP Creation??????
Any help would be highly appreciated.......
Regards
Saurabh

Hi Jeff/Torsten,
Thanks for the revert.
Just to inform you that I need to Create fresh Distribution Point on Windows 7 systems as above technet link is used once you have setup distribution points if you need not have to utilized your 128kbps bandwidth in that scenario I can prestage the content
and copy that content on remote DP.
Please correct me if I'm wrong.
Regards
Saurabh

Unable to locate unrestricted policy files for the Sun JCE for download

My platform:
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Oracle JRockit(R) (build R28.1.4-7-144370-1.6.0_26-20110617-2130-windows-x86_64, compiled mode)
I am unable to locate the Unlimited Strength Jurisdiction JCE files.
According to BouncyCastle for Java 1.6:
..."you must download the unrestricted policy files for the Sun JCE if you want the provider to work properly. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE."

The version at the very bottom of http://www.oracle.com/technetwork/java/javase/downloads/index.html should work.

Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?

Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?
I have a customer having a world of issues getting the agent to start.
Jeff Courtade

No. 64bit support is not there for 2.1 agents on Windows.
-Subba

Windows drivers for SUN Quad PCI card

Hi everyone.
With the risk of being flamed, I have a question regarding drivers for a Sun QUAD network card. I belive it is a X1034A card.
The card is also marked with a label saying: *5015406096836* and a barcode. On another label it sais: QFEPCI
Is there any chance in h**l that this card would function under a Windows system?
Best regards,
Johan Christensson

Hello Ben,
I own the IntraServer LSI5464E which appears to be 501-5406-01 (using the DC21153-AC which was on my card manufactured by Intel not DEC).
I was wrong, the 21153 is a PCI-to-PCI Bridge chip by Intel. I thought it's similar to the DEC PCI Fast Ethernet DECchip 21140.
The 4 Ethernet controllers chips are manufactured by/for Sun.
The datasheet for the LSI5464E is still available, while the drivers aren't.
Michael
When will the deficencies/bugs in the Forums software be fixed ?

Group policy template for Novell Client for Windows 7

Does anyone know if there is a group policy template for the Novell Client for Windows 7? I find it really hard to believe that Novell has not yet released one, but I cannot find one anywhere. We use ZCM 11.2, and I really need to be able to send out settings for the client via a group policy.
By the way, I am also posting this on the Novell Client forum, but since this is also a ZCM thing, I am hoping I might get some feedback here.
Rick P

Two recent/new resources are available for the Novell Client 2 SP3 for Windows:
Cool Solutions AppNote: Novell Client 2 SP3 for Windows: Registry Settings
Novell Client 2 SP3 for Windows: Registry Settings | Novell User Communities
Cool Solutions Tool: Group Policy Administrative Template for Novell Client 2 SP3 for Windows
Group Policy Administrative Template for Novell Client 2 SP3 for Windows | Novell User Communities

No log for am policy agent for iis6

Hello!
Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
I am running the OpenSSO version of Access Manager.
I have installed the agent and done the initial cofiguration.
When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
I should get redirected to the AM Login page, shouldn't I?
I tried to look for answers in the log file but the /debug/<id> directory i empty.
Anyone know what to do?
The amAgent.properties file:
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level = 5
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port = true
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

Policy Agent for JBoss

Hi,
I have installed SAM (together with S1DS, Web Server and Administration Server (from JES installer)).
I have installed and configured Policy Agent for JBoss AS, but i'm getting a browser "Redirect loop" (Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.) error after I login with a correct user/password combination when I try to access the sample application.
My browser accepts cookies from all domains and I get no error in console.
My AMAgent.properties looks like this:
com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.attribute.name = employeenumber
com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.user.token = UserToken
com.sun.identity.agents.config.client.ip.header =
com.sun.identity.agents.config.client.hostname.header =
com.sun.identity.agents.config.load.interval = 0
com.sun.identity.agents.config.locale.language = en
com.sun.identity.agents.config.locale.country = US
com.sun.identity.agents.config.organization.name = /
com.sun.identity.agents.config.audit.accesstype = LOG_BOTH
com.sun.identity.agents.config.log.disposition = ALL
com.sun.identity.agents.config.remote.logfile = amAgent_11_126_14_20_8080.log
com.sun.identity.agents.config.local.logfile = /home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_11_126_14_20_8080.log
com.sun.identity.agents.config.local.log.rotate = false
com.sun.identity.agents.config.local.log.size = 52428800
com.sun.identity.agents.config.webservice.enable = false
com.sun.identity.agents.config.webservice.endpoint[0] =
com.sun.identity.agents.config.webservice.process.get.enable = true
com.sun.identity.agents.config.webservice.authenticator =
com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt
com.sun.identity.agents.config.access.denied.uri =
com.sun.identity.agents.config.login.form[0] =
com.sun.identity.agents.config.login.error.uri[0] =
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
com.sun.identity.agents.config.auth.handler[] =
com.sun.identity.agents.config.logout.handler[] =
com.sun.identity.agents.config.verification.handler[] =
com.sun.identity.agents.config.redirect.param = goto
com.sun.identity.agents.config.login.url[0] = http://sam.domain:80/amserver/UI/Login
com.sun.identity.agents.config.login.url.prioritized = true
com.sun.identity.agents.config.agent.host =
com.sun.identity.agents.config.agent.port =
com.sun.identity.agents.config.agent.protocol =
com.sun.identity.agents.config.login.attempt.limit = 0
com.sun.identity.agents.config.sso.decode = true
com.sun.identity.agents.config.amsso.cache.enable = true
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://dm-test-win-1:80/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://dm-test-win-1:80/amserver/cdcservlet
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =
com.sun.identity.agents.config.fqdn.check.enable = true
com.sun.identity.agents.config.fqdn.default = jbossAS.domain
com.sun.identity.agents.config.fqdn.mapping[] =
com.sun.identity.agents.config.legacy.support.enable = false
com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySupportURI
com.sun.identity.agents.config.response.header[] =
com.sun.identity.agents.config.redirect.attempt.limit = 0
com.sun.identity.agents.config.port.check.enable = false
com.sun.identity.agents.config.port.check.file = PortCheckContent.txt
com.sun.identity.agents.config.port.check.setting[8080] = http
com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/*
com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/*
com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/*
com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html
com.sun.identity.agents.config.notenforced.uri[4] = /agentsample
com.sun.identity.agents.config.notenforced.uri.invert = false
com.sun.identity.agents.config.notenforced.uri.cache.enable = true
com.sun.identity.agents.config.notenforced.uri.cache.size = 1000
com.sun.identity.agents.config.notenforced.ip[0] =
com.sun.identity.agents.config.notenforced.ip.invert = false
com.sun.identity.agents.config.notenforced.ip.cache.enable = true
com.sun.identity.agents.config.notenforced.ip.cache.size = 1000
com.sun.identity.agents.config.attribute.cookie.separator = |
com.sun.identity.agents.config.attribute.date.format = EEE, d MMM yyyy hh:mm:ss z
com.sun.identity.agents.config.attribute.cookie.encode = true
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
com.sun.identity.agents.config.profile.attribute.mapping[] =
com.sun.identity.agents.config.session.attribute.fetch.mode = NONE
com.sun.identity.agents.config.session.attribute.mapping[] =
com.sun.identity.agents.config.response.attribute.fetch.mode = NONE
com.sun.identity.agents.config.response.attribute.mapping[] =
com.sun.identity.agents.config.bypass.principal[0] =
com.sun.identity.agents.config.default.privileged.attribute[0] = AUTHENTICATED_USERS
com.sun.identity.agents.config.privileged.attribute.type[0] = Role
com.sun.identity.agents.config.privileged.attribute.tolowercase[Role] = false
com.sun.identity.agents.config.privileged.session.attribute[0] =
com.sun.identity.agents.config.service.resolver = com.sun.identity.agents.jboss.v40.AmJBossAgentServiceResolver
com.sun.identity.agents.app.username = amagent
com.iplanet.am.service.secret = AQICJmGvlBWYuAYQndALuvNKiw==
am.encryption.pwd = /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
com.sun.identity.client.encryptionKey= /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
com.iplanet.services.debug.level=error
com.iplanet.services.debug.directory=/home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/debug
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.iplanet.am.naming.url=http://sam.domain:80/amserver/namingservice
com.iplanet.am.notification.url=http://jbossAS.domain:8080/agentapp/notification
com.iplanet.am.session.client.polling.enable=false
com.iplanet.am.session.client.polling.period=180
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.am.sdk.remote.pollingTime=1
com.sun.identity.sm.cacheTime=1
com.iplanet.am.localserver.protocol=http
com.iplanet.am.localserver.host=jbossAS.domain
com.iplanet.am.localserver.port=8080
com.iplanet.am.server.protocol=http
com.iplanet.am.server.host=sam.domain
com.iplanet.am.server.port=80
com.sun.identity.agents.server.log.file.name=amRemotePolicyLog
com.sun.identity.agents.logging.level=BOTH
com.sun.identity.agents.notification.enabled=true
com.sun.identity.agents.notification.url=http://jbossAS.domain:8080/agentapp/notification
com.sun.identity.agents.polling.interval=3
com.sun.identity.policy.client.cacheMode=subtree
com.sun.identity.policy.client.booleanActionValues=iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny
com.sun.identity.policy.client.resourceComparators=serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*|delimiter=/|caseSensitive=false
com.sun.identity.policy.client.clockSkew=1011.126.14.20 is the computer where I have the JBoss installation.
11.126.14.18 is the computer where I have SAM services.
Do you have any idea why this error may occur?
Thank you in advance,
Cristi

Hi,
Thanks for your responses, I've included my AMAgent.properties below if you could take a look at it.
I only seem to run into the problem when I authenticate if the following is set:
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
If that is set to NONE then I can access the application fine, but if i use the HTTP_HEADER and attempt to pass information via the header I get stuck in the loop which results in the message <strong>".Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked."</strong>
There is no helpful output in either my container log or the Policy Agent logs.
The myHost.local. exists within my /etc/hosts file and using ping and other tools resolve fine.
I am using JBOSS 4.2.2 on Linux (and windows).
If anyone can help save my sanity it would be appreciated.
com.sun.identity.agents.config.filter.mode = URL_POLICY
com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.attribute.name = employeenumber
com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.user.token = UserToken
com.sun.identity.agents.config.load.interval = 0
com.sun.identity.agents.config.locale.language = en
com.sun.identity.agents.config.locale.country = US
com.sun.identity.agents.config.audit.accesstype = LOG_NONE
com.sun.identity.agents.config.log.disposition = REMOTE
com.sun.identity.agents.config.remote.logfile = amAgent_8089.log
com.sun.identity.agents.config.local.logfile = /usr/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_8089.log
com.sun.identity.agents.config.local.log.rotate = false
com.sun.identity.agents.config.local.log.size = 52428800
com.sun.identity.agents.config.webservice.enable = false
com.sun.identity.agents.config.webservice.endpoint[0] =
com.sun.identity.agents.config.webservice.process.get.enable = true
com.sun.identity.agents.config.webservice.authenticator =
com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt
com.sun.identity.agents.config.login.form[0] = /manager/AMLogin.html
com.sun.identity.agents.config.login.form[1] = /host-manager/AMLogin.html
com.sun.identity.agents.config.login.error.uri[0] = /manager/AMError.html
com.sun.identity.agents.config.login.error.uri[1] = /host-manager/AMError.html
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
com.sun.identity.agents.config.auth.handler[] =
com.sun.identity.agents.config.logout.handler[] =
com.sun.identity.agents.config.verification.handler[] =
com.sun.identity.agents.config.redirect.param = goto
com.sun.identity.agents.config.login.url[0] = http://myHost.local:8080/amserver/UI/Login
com.sun.identity.agents.config.login.url.prioritized = true
com.sun.identity.agents.config.login.url.probe.enabled = true
com.sun.identity.agents.config.login.url.probe.timeout = 2000
com.sun.identity.agents.config.agent.host =
com.sun.identity.agents.config.agent.port =
com.sun.identity.agents.config.agent.protocol =
com.sun.identity.agents.config.login.attempt.limit = 0
com.sun.identity.agents.config.sso.decode = true
com.sun.identity.agents.config.amsso.cache.enable = true
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://myHost.local:8080/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://myHost.local:8080/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.secure.enable = false
#com.sun.identity.agents.config.cdsso.domain[0] =
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =
com.sun.identity.agents.config.fqdn.check.enable = true
com.sun.identity.agents.config.fqdn.default = am.ufidev.local.
com.sun.identity.agents.config.fqdn.mapping[] =
com.sun.identity.agents.config.legacy.support.enable = false
com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySu<br />

ID Server and Policy Agent for AS .. is secure?

Hello there,
I have a question. Quite critical question, concerning iPlanetDirectoryPro cookie. If I've got it right, this cookie contains SSO Token. And the SSO token can be used with identity server to obtain any SSO assetion. I've experimentaly confirmed this.
Now, can anyone tell me why this cookie is sent to any host in my domain? The default after instalation is "bgs.sk". This default value enables any host in my domain to impersonate me. Well, I still can change this, but it is now good to have insecure default values anyway, is it?
Second, and more critical problem: I have Policy Agent installed on my Application Server. It looks like the agent requires access to the iPlanetDirectoryPro cookie to work correctly. But, if my application server has my SSO token, it can impersonate me anywhere. Not a good situation at all. That would mean security hole as big as hangar doors.
Are my assumptions correct? Am I overlooking something?
(All valid for ID server 6.0 and Liberty protocols)
Thanks for any help.

Although Sun promote Identity Server by emphasizing its Liberty/SAML feature, the product itself use a proprietary protocol for SSO and CDSSO.
As all we know, this product could be totally useless without Sun's Policy/J2EE Agent deployed. But ironically these agents communicate with Identity Server in its own way, nothing to do with SAML, XACML, or even SOAP.
The agent approach is usually not a good idea. We saw more and more problem raised from fields related to agent stability and scalability. We never see any performance benchmark data from Sun. Since the communication between agt and Identity Server are proprietary, no ISV can make agent for this product. You have to wait for Sun for agent support if you have new system not on the support matrix.
In addition to agent, another big issue of Identity Server is its complex DIT structure. In fact, we prefer to have RDBMS as Identity Server's repository. Sun abuse ldap just because this company doesn't have any database product but still want to provide a pure Sun platform (JES) to customer. So they compromise the architecture for business reason, I'd like to tell you, I don't like the way Identity Server store data in DIT, I don't like the console UI (its for technical geek), and on one in our company dare to do any configuration change.
Now Sun put Identity Server as the core of its JES product stack. If you have time to take a look at how the SJS Portal use Identity Server and how SSO between Portal channel and Email/Calendar Server are achieved, you'll find that you just buy a "framework" (I mean Identity server), not a product, because you have to do every integration work by intensively coding.
I predict that Identity Server will be significantly rearchitctured in the near future, otherwise we don't see any benefit this product can bring to me. It is a headache for deployment as well as maintenance. If you just need Single Sign-On, there are lots alternative to achieve, Sun's Identity Server is really overkill. It's authentication feature is ok, but authorization feature (policy, role) is very limited. If you have lots of Windows/IIS web app need to do SSO with Identity Server, god bless you... you better have a sharp programmer to wrap up the C API so as your ASP programmer can leverage Identity Server SDK, and you got to pray for IIS agent behave well. In addition, don't forget to learn more about JATO if you want to do some fancy customization on the default login page.

Are there any information gathering tools or scripts for Sun VDI 3.1.1?

Hi,
Are there any information gathering tools or scripts for Sun VDI 3.1.1?
for problem reporting or service supportting , such as
ut_gather, a ksh based tool to collect all Sun Ray related information from a Sun Ray server.
http://www.sun.com/bigadmin/jsp/descFile.jsp?url=descAll/ut_gather_1_4_6
http://www.sun.com/service/gdd/index.xml
Sun Explorer Data Collector in The Sun Services Tools Bundle (STB)
http://www.sun.com/service/stb/index.jsp
http://www.unix-consultants.co.uk/examples/scripts/linux/linux-explorer/
http://www.slideshare.net/Aeroplane23/information-gathering-2
Windows MPSreports, msinfo32
Redhat sysreport
Suse Siga reportconfig
Any advice would be appreciated.
Thanks,

ut_gather versions are available on MOS under reference #1260464.1

HTTP/SPNEGO for "SSO" on MS Windows

HTTP/SPNEGO for "SSO" on MS Windows
Hi all of you !
The scene is simple : I got a software (All in plain java ) and some simple web access to this system. ( it's not a real web server wich will be in need for Apache or some big container it's just a few access to some informations of the software )
The client company is all MS Windows, and it's used to some SSO approach,
they got a AD server on Win2003, all laptops are under winXP Pro and got IE at least version 6
Now The question is this ;
I got
-a guy (properly authentified) who is
- using IE (properly setted)
- on a computer (properly attached to AD)
to access a ressource URL of my app
It's quite simple to send him a http 401 or 407 so IE go back to the AD server and get its token
BUT how can I manage in java to extract the account used by the client
from the SPENEGO token ? this is all I need
I cant find any help on this, So please if someone can help me in this...
I'm lost ... Thanks in adavnce for a simple hint or a url linking me on the good path

I forget :
Ok for the configuration, thanks to some of your posts (thanks all)
I know all the importants steps to be followed
For exemple I quote danielshrem last post on the thread http://forum.java.sun.com/thread.jspa?forumID=545&threadID=760214
<quote>
Hey Seema,
Indeed my server's principal was not the correct one, now everything is cool with rc4 encryption.
for all u dudes out there in need of Java HTTP kerberos auth here's a few simple configuration procedures:
1. on the Domain Controller add an HTTP SPN to the account running the web service (use setspn.exe). the SPN has to be in format HTTP/host@Realm or HTTP/host (this SPN worked for me). if u dont know exactly which SPN u need u can sniff an HTTP session on ethereal look for Kerberos AP Req-->ticket-->Server Name. from what i gather this is the principal the clients use.
2. on the DC add a mapping to the newly created SPN (use ktpass.exe)
3. on the host running the service create a keytab file containing the newly created HTTP principal (use java's ktab.exe)
4. make sure the SPN is set up OK by running kinit and pass the newly created keytab file and the newly created SPN.
once u recieve an ok result you are good to go (login and authenticate users)
hope this helps
Daniel.
</quote>
My problem (I know it must sounds stupid) : how do I extract the login account from this ?

How to Force enable, silent updates for Adobe flash in windows 8

How to Force enable updates, silently for Adobe flash in windows 8 using group policy?
I have followed this Article:
http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.h tml
http://gpyall.com/archives/disable-adobe-flash-updates-on-64-bit-windows-with-group-policy /
This looks promising but not working.
Also, I cannot even manually create a file, in Win 8 (C:\Windows\SysWOW64\Macromed\Flash)
So how would group policy can put mms.cfg in this location with following vaule:
AutoUpdateDisable=0
SilentAutoUpdateEnable=1
Thanks in Advance.

You will find more information in http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flas h_player_11_7_admin_guide.pdf

How to disable UAC for standard account in windows 8.1 single language OS

Hi,
How to Disable UAC in a standard account on windows 8.1 single language OS.
application for mobile modem (TATA DOCOMO) always asks for administrator password, in windows 7 I used to just set UAC never Prompt in admin account and same setting would reflect in standard user account and then users where not prompted for password but in
windows 8.1 single language edition I have disabled UAC in admin account but in standard account the setting for UAC was still in default (notify me when programs try to make changes to my computer), if I try to set never, the ok button is greyed out with
message saying that you must be logged in as administrator.
And Group policy editor, local security policy are not available in windows 8.1 single language.
can any one give command to disable UAC using CMD.
OR
set registry to not prompt for admin password.
Thanks in advance..........

Hi Ed,
But in control panel -> user accounts -> Change user account control settings
I can set the settings to always notify
and default notify when programs try to make changes to computer.
But I can't set it to never prompt because only administrator as power to do that and if I set never prompt in administrator account the settings in standard user remains in
always notify.
so please let me know, if there is any other way to over come the problem.
Main problem is application from unknown source always prompt for admin password.
I need to disable it from prompting for admin password to run applications in standard accounts.

Is Policy Agent2.1 for Sun WebServer6.1 on Windows developed with C?

Similar Messages

Maybe you are looking for