Is strong 2FA with client cert and AD using AnyConnect possible?

Similar Messages

• PC with client cert -- IIS-- WLS using proxy plugin

  I have the following configuration
  PC ----> IIS Web Server ----> WLS
  The PC has a Windows COM application that will use HTTPS to communicate with a
  servlet + ejbs on WLS. The PC has a digitial certificate, the PC authenticates
  IIS and the IIS authenticates the PC via SSL.
  We want to use the BEA IIS plugin to proxy the PC requests to the Servlets/EJBs
  on WLS. We also want the public digital certificate on the PC to be sent from
  IIS to WLS as we need to extract information from it on WLS.
  Solution ID S-08166 says this can be done for Apache. Can it be done for IIS and
  if so how?
  Thanks
  Colman

  I would like the same behaviour but with NSAPI plugin
  any configuration guidelines
  The ppath is the same but one is http and the other https
  "Varun" <[email protected]> wrote in message
  news:3da32e55$[email protected]..
  >
  We are trying to secure certain pages in our web application. Our setuphas an
  IIS server with the WebLogic ISAPI plugin configured for path forwarding.However,
  it seems that we can configure the plugin either to secure all traffic tothe
  Weblogic server or none of it (SecureProxy=ON/OFF).
  What we would like to do is to setup the plug-in so that all incomminghttp traffic
  is forwarded to Weblogic server over http and all https traffic isforwarded to
  the same weblogic server over https. Is there any way to do this?
  Any help is very appreciated.

• Enabling CLIENT-CERT and FORM authentication in same web-app

  Hi!
  I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
  My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
  1. If client does not send tokens in request, then set response header:
  response.setHeader("WWW-Authenticate", "Negotiate");
  response.sendError(response.SC_UNAUTHORIZED);
  This works fine and client starts to send his tokens
  2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
  RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
  dispatcher.forward(request, response);
  3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
  log-in page is as defined in edocs:
  <form method="POST" action="j_security_check">
       <table border=1>
            <tr>
                 <td>Username:</td>
                 <td><input type="text" name="j_username"></td>
            </tr>
            <tr>
                 <td>Password:</td>
                 <td><input type="password" name="j_password"></td>
            </tr>
            <tr>
                 <td colspan=2 align=right><input type=submit value="Submit"></td>
            </tr>
       </table>
  </form>
  Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
  I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
  Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401

  Hi everybody,
  we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
  I configured a Negociate Identity Asserter and an Active Directory provider.
  I configure Kerberos services, so we have succefully access to our application through the Windows session.
  But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
  For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
  The web.xml used in our webapp :
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>sso</web-resource-name>
  <description>Desc</description>
  <url-pattern>/appmanager/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description>desc</description>
  <role-name>ssoRole</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name/>
  </login-config>
  <security-role>
  <description>Authenticated user</description>
  <role-name>ssoRole</role-name>
  </security-role>

  which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
  in any case, this would be the syntax
  <Object name="weblogic" ppath="/hw/">
  Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
  # gateway timeout - back end web logic not responding handle differently
  <If code='504'>
  # send it to a different post..
  Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
  </If>
  </Object>
  - sriram

• Cannot Sync Mails on 3G / iOS4 with Client Cert. iPhone 4 OK, OS 3.1.3 OK

  Hi One and All,
  Our Exchange Server 2007 (published via ISA 2006) requires Client Certificates to Sync. We use the iPhone Configuration Utility to set up the mobileconfig file, and it normally works fine. However, I currently have two iPhones (1x3G and 1x3GS) that cannot access the server via either WLAN or 3G. If I install the same config file on an iPad or an iPhone 4, it works fine. On the 3G and 3GS, it does not even enforce setting the lock code. Going into the mail account results in a "Cannot Connect To Server" error.
  If I use Safari, and navigate to the Active-Sync page "https://myserver.domain.com/Microsoft-Server-ActiveSync/default.eas" it pops up a message that I need a certificate, and to press continue to select a certificate, but it then just hangs with a doughnut, and I have to reboot if I want to use Safari again.
  I have done a Reset All Settings, tried lots of different mobileconfig files, all of which work on the iPad and iPhone4, but not the iPhone 3. Any ideas?

  Actually, I didn't resolve this using the iPhone Configuration Utility.
  This is a new feature in iOS4. For security reasons, if you change the Exchange Profile, you have to reset the phone to factory defaults first, and then it works. According to Apple, this is by design.

• I sold my iphone 3gs to a friend and then i bought it back and reset it now it says apple ID is associated with another device and cant use my ID for 90 days, how do i get around that?

  How do i get my iphone 3gs to accept my appleID after selling to a friend (reset) and buying back from friend (reset again) now phone says appleID is already associated with another device and i have to waiy 90 days. How do i fix this problem?

  email me at <Edited by Host> ASAP!!!

• Possible to use CCM 2.0 with both CRM and SRM using OCI?

  Hi,
  I am preparing a solution with SRM, CRM and CCM where CCM should be the central product catalog,
  internal ordering should be done using SRM and external ordering (reselling and billing) using CRM.
  However, the content is the same, so I either need to provide it once in CCM and create different
  views and OCI-connections from SRM and CRM or I need a way to extract a catalog from CCM and import
  it into CRM.
  In posting 83841
  Is SRM Mandatory with CCM?
  I learned that CCM 3.0 will support CRM processes.
  However, I could not find any hint when CCM 3.0 will be available.
  I assume CCM 2.0 support OCI as well, so in principle it should be possible to use one CCM view in CRM and another CCM view in SRM.
  Is this assumption correct?
  Regards, Andreas

  Hi Andreas,
  yes, via OCI one catalog can be integrated into different applications.
  Regarding the release: CCM 2.0 is the last release of the SAP Catalog.
  There will be no CCM in the future.
  In the new version of MDM the catalog function is integrated and it is
  mandatory to be used in new implementations as well with SRM 6.0.
  There are some tricky things in CCM and it is hard to get support, as
  the main focus is MDM.
  When you have a chance to plan the landscape, consider MDM from
  long term perspective.
  Thanks,
  Claudia

• Sync Mac iPhoto library with multiple Macs and devices using iCloud

  Our house is a "Mac" house. My wife and I have two iMacs, two iPhones, and an iPad. I have 30,000 photos in my library dating back to 2002 with a size of 100 Gb. I am paying the $3.99/month for 200 Gb of storage, but currently only using about 7 Gbs. I am running the latest of everything. iOS 8 on devices, and Yosemite on both iMacs.
  I am having troubles maintaining two separate libraries. I will upload to my iMac, my wife will upload to her iMac, but I want our entire library to be synced on both computers. Furthermore, I want pictures to show up on all devices. How do I get my entire 30000 photo library on my iMac uploaded to iCloud? I want the entire library to be synced to all our devices? I want all of our photos that we have taken to be in one happy consolidated iPhoto Library, accessible on every computer and device.
  Thanks
  Kevin

  This is not yet possible between Macs and iOS devices, but the new Photos.app for Mac, to be released early next year, will support it.
  Right now, only the iOS 8 devices can use iCloud Photo Library (Beta). That will store the Photo Library in iCloud and sync to all iOS devices.  See:    iCloud Photo Library beta FAQ - Apple Support
  Macs can upload to iCloud Photo Library currently only from the web interface:  https://www.icloud.com/#photos.
  It is not clear, if the Photos.app for Mac will support family sharing. We do not know much about the new app to come.
  The iOS version only supports one AppleID so far.
  And it cannot yet be recommended to upgrade the iOS devices to Cloud Photo Library Beta, because you will no longer be able to use iTunes Photo Sync or My Photo Stream to upload photos to your iOS devices.
  I want all of our photos that we have taken to be in one happy consolidated iPhoto Library, accessible on every computer and device.
  Added:  iPhoto is a single user database, that needs the iPhoto Library to be stored on a locally connected drive, and it is not possible to store the library on a network volume or cloud storage.  The new Photos.app will support the cloud storage.
  Apple's recommendation for sharing a library between iPhoto users is the sneaker drive:
  iPhoto: Sharing libraries among multiple users

• Java Plugin With Client Cert Auth and Keepalive

  Hi,
  I have a Java Applet that connects to a site requiring client side certificates. The site is running Apache 2.0.54 with a keepalive timeout of 15 minutes. As a result the applet prompts the user for a client side certificate on its inital connection and does not prompt again unless the user has been idle for more than 15 minutes. My problem is that when we try this through our Squid proxy, the Applet prompts the user on virtually every request, making for a very annoying user experience.
  We have played with both Squid 2.4 and 3.0 and tweaked serveral promising-sounding parameters with no success. Is there something I am missing? I can mail any logs or config files as needed. One clue is that it does seem to work for requests spaced at about 2 seconds or so apart, but not more.
  Thanks for any insights as to what might be happening here.
  Best,
  Seth

  Issue resolved by creating a role with the relevant UME Action permissions. Not entirely sure if this is the best way forward, but it seems to work.
  If anyone has other suggestions, or better ways of doing this, please let me know.
  Thanks

• Web service proxy client with client cert cause SSLSessionNotFoundErr

  Hi,
  I tried to run web service proxy client with certification from JDeveloper 10.1.3.0.4 to call PKI enabled web service got folllowing error:
  WARNING: Unable to connect to URL: due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
  Web service deployed on OAS

  Hi,
  i am trying to invoke from JDeveloper (10.1.3) a CRM On Demand's Web Service and I hava the same problem:
  ADVERTENCIA: Unable to connect to URL: https://secure-ausomxgfa.crmondemand.com/Services/Integration due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
  java.rmi.RemoteException: ; nested exception is:
       HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
       at testerlast.runtime.Contact_Stub.contactInsert(Contact_Stub.java:96)
       at testerlast.ContactClient.contactInsert(ContactClient.java:88)
       at testerlast.ContactClient.main(ContactClient.java:69)
  Caused by: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
       at oracle.j2ee.ws.common.util.exception.JAXRPCExceptionBase.<init>(JAXRPCExceptionBase.java:93)
       at oracle.j2ee.ws.common.util.exception.JAXRPCExceptionBase.<init>(JAXRPCExceptionBase.java:89)
       at oracle.j2ee.ws.client.ClientTransportException.<init>(ClientTransportException.java:33)
       at oracle.j2ee.ws.client.http.HttpClientTransport.invokeImpl(HttpClientTransport.java:144)
       at oracle.j2ee.ws.client.http.HttpClientTransport.invoke(HttpClientTransport.java:121)
       at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:169)
       at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:111)
       at testerlast.runtime.Contact_Stub.contactInsert(Contact_Stub.java:80)
       ... 2 more
  To do the invocation I have done a proxy to consume this Web Service, with the follow main:
  public static void main(String[] args) {
  try {
  testerlast.ContactClient myPort = new testerlast.ContactClient();
  System.out.println("calling " + myPort.getEndpoint());
  myPort.setUsername(nameUser);
  myPort.setPassword(password);
  ListOfContactData llista = new ListOfContactData();
  ContactData[] contacts=new ContactData[2];
  ContactData contact=new ContactData();
  ContactInsert_Input input=new ContactInsert_Input();
  // Login WS HTTPS
  String idSesion=connexioWS_CRM.logon(URL,nameUser,password);
  // Add contact
  for (int i = 0; i < contacts.length; i++) {
  contact.setId("ProvaWSCRM"+i);
  contact.setContactFirstName("JDeveloper"+i);
  contact.setContactLastName("prove"+i);
  contact.setCellularPhone("77777777"+i);
  contact.setDescription("Add contact with Id:"+contact.getId());
  contacts=contact;
  System.out.println("Id:"+contacts[i].getId()+" firstName:"+contacts[i].getContactFirstName()+" lastName:"+contacts[i].getContactLastName());
  llista.setContact(contacts);
  input.setListOfContact(llista);
  input.setEcho("off");
  System.out.println("Pwd:"+myPort.getPassword()+" Port:"+myPort._port+" endpoint:"+myPort.getEndpoint()+" user:"+myPort.getUsername());
  myPort.contactInsert(llista,"LIC","Broadset","OFF");
  // Logout en WS (HTTPS)
  connexioWS_CRM.logoff(URL, idSesion);
  } catch (Exception ex) {
  ex.printStackTrace();
  What's wrong? Any idea?
  Thank you
  Edited by: user12085357 on 31-oct-2009 10:39

• I have a macbook pro with Lion OS and am using Mac mail.  How do I attach documents as attachments instead of coming up in the body of the email?

  How do I attach a file to mac mail without it going into the body of the email?

  To add to what Kappy said, note that you really can't control how some other mail client might display an attachment.  Some may display them inline, while others may require them to be opened separately.  And different people have different desires in this area...  some want a PDF file, for example, displayed inline, while others prefer for it not to be.  Just attach the file(s) and don't worry about this so much.
  Also, I do have to disagree with Kappy on one point...  I would not say that you "should" compress files and attach the compressed archive file.  That will force all mail clients not to display the attachment inline, but not everyone will want that (you'd be forcing your tastes on all recipients of your e-mail), and some people have difficulty figuring out how to open and view the contents of compressed files.  It's an extra step for you and an extra step for the recipient, and is not needed for most popular file types.  (Of course, we could advise you more specifically if we knew what file types you're dealing with.)

• Argentina - EBS with format AUZUG and UMSATZ (using MultiCash program)

  Hi,
  We are mapping the external transaction types while configuring EBS with AUZUG and UMSATZ format for our client.
  Does anybody have a document explaining the external transaction types in case of UMSATZ format, based on which we can define the posting rules for these three digit transaction types in Table T028B?
  For e.g
  As in BAI format
  "399" is a Credit belonging to a "miscellaneous credit".....with that information I can map it accordingly in table To28B.
  The same information I require for Multicash - UMSATZ format. What does "N24" or "959" codes mean (or a document defining Argentine Bank - Transaction codes), based on which I will map in SAP?
  Thanks
  Shweta Pethe

  HEllo,
  I'd suggest you to check with your bank in argentina if they can provide you a list of the transaction types they're currently using. Sometimes the transactions vary from one bank to another ( even in BAI format ).
  Regards,
  REnan

• Confusion with mail.app and Gmail using imap

  I've had a yahoo.com email address for years, and pay for Mail Plus and POP3, which I frankly don't even use. Now that I've confirmed, however, that I can successfully forward emails from my yahoo box to my new gmail box, I'd like to look into setting up mail.app for the gmail account using imap. Like most people, I access my mail from several places (home & work computers, Touch, and others), and imap makes sense as the right way to go.
  Last night I tried to set things up on mail.app on the Mac, and boy was it confusing in terms of the folders, etc. Is there someplace someone can point me for a sort of "beginner's guide to setting up Gmail/imap with mail.app"? Hopefully this "guide" would give me some hints on setting up various rules, etc. that would allow me to have a setup that makes sense: only one copy of emails, sent items in the sent items folder, etc.
  One more thing: can I set up Gmail/imap with more than one email client? For example, can I use mail.app at home and Thunderbird on the Windows computer in my office? And how is the creation of new folders (or labels, I guess, as Gmail calls them) on the web handled by mail.app (or Thunderbird)? I'm guessing that a new label created on Gmail on the web doesn't automatically result in a folder being created in mail.app (or Thunderbird), or does it? If this is correct (no folder created in mail.app until I create it on the Mac), is the message that was moved to a folder on the web found in mail.app in the All Messages folder (or whatever it's called)?
  Sorry for the basic nature of these questions...this all seems pretty complicated, and I'd like to get it right the first time. Thanks.

  BTW Thanks for the "head's up" that GMail now supports IMAP (I've been waiting for it!)
  I'm not sure what your confusion is, other than maybe the confusion between how folders and messages work in Outlook versus Apple Mail and IMAP. I've used both, and several other mail programs over the years.
  IMAP permits you to have directories which contain message folders. I make the distinction, because Outlook allows you to message folders which contain messages AND other message folders. I believe most implementations of IMAP do not allow messages inside of directories. Thus, a directory looks like a message folder, but it may only contain message folders, and not individual messages.
  Now, GMail appears to create message folders for each label you define in GMail, and messages which have several labels appear in each folder. If you copy the folders to your computer, you WILL have multiple copies of those messages, however if you leave them on the server, GMAIL does all the work and you only have one copy of each message.
  Special folders in GMail are all located in the directory [Gmail] and include the message folders "All Mail", "Drafts", "Sent Mail", "Spam", "Starred" and "Trash". Notice I say "directory" and not "message folder" for "[Gmail]". That is important.
  I cannot attest as to what GMail does when you create a folder from your mail.app client, as I have not done that yet. I would venture a guess that it will define a GMail label and mark any messages you "move" to that folder with that label. The GMail special folder "All Mail" contains all of your mail messages, and is equivalent to selecting "All Mail" when using the web interface.
  Your inbox messages will appear in the section with all of your inboxes at the top of your mailbox list. Make sure that you set your preferences to match the recommended preferences for Apple Mail when setting up your GMail account. Otherwise you will end up with duplicates and/or a lot of unnecessary data transfers to your Mac.
  Hope this helps. If not, please give a more explicit example of something that doesn't work the way you expect.

• OBIEE: REPORT FROM 2 FACTS WITH ONE SHARED AND ONE UNSHARED DIM; POSSIBLE??

  Hi All,
  We have a typical scenario to build a report from 2 subject areas(ideally from 2 facts)
  Here is the Scenario: Creating a report which based on two facts(2 Subject Area's) and one common dimension and one unshared dimension.
  Example
  ======
  Dimension Date is common between Fact Transaction and Fact Credits.
  Dimension Credit Type is applicable only for Fact Credit.
  We have to build a report with the below mentioned attributes/metrics
  Dim Date. Attribute (*Common Dimension*)
  Fact.Transaction.Metric
  Fact. Credit .Metric
  Dim.Credit Type. Attribute (*Unshared Dimension*)
  Is this is possible in OBIEE..?
  Thanks,
  Govardhana

  Yes, you must use measure levels. Set the column level of each measure from the Transaction Fact to Total for the Credit Type dim.

• I have two kids with ipod touches and we use one windows computer, can i use one apple id or do they need 2 seperate ids

  WE were a one itouch family and then my son got one on his birthday.  My daughter had an account full with gift cards.  When I added my son's to the computer I used the same apple id and now everything is being billed to my cc, when she purchases even though she has credit it goes straigh to my CC.  Help, how do I fix this?

  You are going to need to change the email address you use with your old ID. Once you have got access to your old account you will then log into both accounts at the same time on your Mac and transfer your data to a single account. We can do this later, but need you to get access to your old account first.
  My Apple ID