Issue with HTTP Authentication

Similar Messages

• Issue with Anonymous Authentication and updating or starting new projects

  So 2 weeks ago I had a post about Anonymous Authentication found here:
  https://social.technet.microsoft.com/Forums/office/en-US/9b0e6eec-190a-4b48-a280-6adef441659a/issue-with-anonymous-authentication-and-people-picker-and-reports?forum=sharepointgeneral&prof=required
  That issue has been resolved but has created a new issue. We have Anonymous Authentication disabled but when one of our users tries to make a new project she gets the following:
  Unexpected response from server. The status code of response is '0'. The status text of response is ''.
  When she tries to edit an existing project, she gets the following:
  The server was unable to save the form at this time. Please try again.
  If I re-enable the Anonymous Auth. everything works for her again, but then we face the issue from the original post with reports not publishing.
  Any ideas on how to make everything get along?

  #apDiv2 {
      position: absolute;
      width: 698px;
      height: 299px;
      z-index: 1;
      left:50px;
      top: 117px;
      overflow: scroll;
  Don't forget to fix your code errors.  You're still missing a <body> tag in your markup. 
  Nancy O.

• UCM 11g web services with HTTP authentication

  Is it possible to setup UCM 11g web services with HTTP authentication?
  I did setup UCM 11g web services using OWSM policies and are working well.
  But my development team wants to consume web services with only HTTP authentication (simple user name and password), do not want to use Keystore files and encryption.
  Please help me guys.
  Thank you in advance

  Hi ,
  If you are looking to use the WSDL to execute ucm services then use SoapUI IDE on development , there it requires only the http authentication method .
  Let me know if this is the actual requirement which you were looking for or if I have missed the point .
  I use this to quickly test WSDL and verify if the service being invoked is actually correct or not .
  Thanks,
  Srinath
  Edited by: Srinath Menon on Apr 26, 2013 11:32 AM

• Slowness Issues with Windows Authentication in SharePoint Foundation 2010 sites

  All, 
  We are having a strange issue with SharePoint Foundation 2010 sites where sites are very slowly loading when accessed via windows based authentication where as the extended sites in  forms authentication are loading normally.
  There were no error logs or even SharePoint logs also except the images load time is showing with different load times.
  Attached are the patches that were updated to the server that may be issue but not sure. Can some one please share your thoughts.
  SQL connectivity b/w the server is good.there are no n/w issues except that the users are using the sites with a different domain other than the domain in which the servers were hosted.
  There is a trust b/w the two domains.This was never changed and there were no issues in the last 2 years.
  Thanks keshav,Share point Developer

  we do have trusted domains
  Inder : It would be better if you run that command again now.
  Inder: How many AD server do you have
  Inder: Do you notice the login request go to nearest AD server. 
  and https sites. Please share your thoughts.
  Inder: All the certificate have intermedite certificates. You need to logon to each SP server, and install
  these certificates on trusted root authority 
  If this helped you resolve your issue, please mark it Answered

• SCCM 2012 R2 ADR issue with proxy authentication

  Hi,
  We're migrating SCCM 2007 to SCCM 2012 R2.
  In SCCM 2007, the proxy server is configured with user authentication, and this works.
  In SCCM 2012 R2, the Software Update Point is installed locally and connected with a local WSUS 4.0 (Server 2012)
  We use a proxy with user authentication for Update Deployment. (This user is the same as configured in SCCM 2007.)
  The Proxy Server is Blue Coat SG.
  The proxy account is used for:
  The Synchronization works, but Automatic Deployment Rule (ADR) doesn't work.
  When an Automatic Deployment Rule is started, it tries to authenticate 3 times.
  The Patchdownloader.log shows:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername>\root\SMS        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\3208bb5e-bcd9-4389-a0c9-02ef33ccb998.1\XPSEPSC-x86-en-US.exe .        Software Updates Patch Downloader        11/8/2013 12:19:07        3608
  (0x0E18)
  Contentsource =
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe .        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Downloading content for ContentID = 16819067, 
  FileName = XPSEPSC-x86-en-US.exe.        Software Updates Patch Downloader        11/8/2013 12:19:07        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:19:07        8364
  (0x20AC)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  HttpSendRequest failed HTTP_STATUS_PROXY_AUTH_REQ        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  Download
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe to C:\Windows\TEMP\CAB6FD2.tmp returns 407        Software Updates
  Patch Downloader        11/8/2013 12:19:07        8364 (0x20AC)
  ERROR: DownloadContentFiles() failed with hr=0x80070197        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Then the proxy user account is locked:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to \\ <servername>\root\SMS        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:20:11        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\e0a54221-3ff2-4129-b7cf-89bf5cd1f726.1\Windows-KB943729-x86-ENU.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Contentsource =
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Downloading content for ContentID = 16824262, 
  FileName = Windows-KB943729-x86-ENU.exe.        Software Updates Patch Downloader        11/8/2013 12:20:12        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:20:12        12480
  (0x30C0)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  Download
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe to C:\Windows\TEMP\CAB6E4B.tmp returns 403        Software Updates
  Patch Downloader        11/8/2013 12:20:12        12480 (0x30C0)
  ERROR: DownloadContentFiles() failed with hr=0x80070193        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  The RuleEngine.log shows:
  Failed to download the update from internet. Error = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  Failed to download ContentID 16824467 for UpdateID 16819978. Error code = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  It seems that the ADR uses a wrong password when authenticating with the proxy, but this same user works when synchronizing with WSUS.
  We performed the following actions with no result:
  run the ADR manually and automatic,
  reinstalled WSUS and SUP,
  changed proxy user account.
  Regards,
  Matthias

  Currently, the command shows:
  Current WinHTTP proxy settings:
      Direct access (no proxy server).
  We've been testing with:
  upddwnldcfg.exe /s:<proxyserver>:<port> /u:<user> /allusers
  psexec -i -s iexplore.exe, set Internet Explorer proxy manually
  All with same result, proxy user getting locked when ADR runs.
  (These settings have been removed after the test.)
  I think dekac99 would suggest netsh winhttp set proxy or import proxy.
  then turn off proxy use on the role SUP (this way not SCCM will send auth but all winhttp will use proxy)
  the problems with that for me are:
  - if MS implemented role-based proxy usage, why set at http layer - of course this might work as a workaround for the time being so it might be a good idea but I'm just not sure what unwanted issues it may cause
  - the other thing is where I'm not sure, with set proxy you cannot define authentication account. if you use import from IE and the IE prompted for proxy auth, the stored credential will be used on winhttp layer (though I'm not 100% sure of that) - so this
  is just too uncontrolled for me
  - upddwnldcfg.exe will need to run in the name of system account (it stores credentials under HKCU so far I know it will be a per user based setting)
  --> what confuses me, the catalog synch works which should use the same configured proxy and account(?), only ADR does not work. shouldn't they both use the same process for sending account auth info?

• Auto-Signon issue with RADIUS authentication

  Hi all, i post again a question Posted by ronin2307 on Nov 27, 2007, 9:40am PST
  I HAVE THE SAME ISSUE WITH 8.0.3 release!
  Hi,
  we have a fairly simple configuration running on our ASA and try to make use of the webvpn on occasion. The feature used to work great with 7.2, but after we upgraded to 8.0 we started having problems.
  Basically an user (network admin) can log in through the webvpn interface (authenticated by a RADIUS server) and see the links to network shares we provide, click on them and at that point the user is promptedfor credentials again. upon entering them then message comes up that the access to the resources has been blocked due to security reasons.
  Now to me that makes no sense whatsoever. I have already run the following command:
  auto-signon allow ip 192.168.1.0 255.255.255.0 auth-type ntlm
  to try to prevent the second credentials prompt but to doesn't do anything.
  I also tried to capture the webvpn traffic, according to the user manual, but now i have a zip file that contains bunch of files, I cannot read (except notepad, but that doesn't help a lot). Ethereal will not open the files. I couldn't get to display the capture in the browser as described in the manual.
  can anybody give me an idea on what to do to troubleshoot this problem? Thank you very much.

  For single sign on using NTLM on a webVPN set up, you need to ensure you configure it through the command line. Did you use the ASDM for this single sign on? To configure auto-signon for all WebVPN users to servers with IP addresses ranging from
  10.1.1.0 to 10.1.1.255 using NTLM authentication, for example, enter the following
  commands:
  hostname(config)# webvpn
  hostname(config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm
  http://www.cisco.com/en/US/docs/security/asa/asa71/asdm51/selected_procedures/asdmsso.html

• Issue with Anonymous Authentication and People Picker and reports

  Hello,
  We are having an issue with sharepoint 2013 where we have reports that get published to sharepoint via visual studio and we use the people picker for different list.
  The overall issue is SSRS does not work if Anonymous Authentication is enabled which caused this error when trying to publish a report:
  The permissions granted to user 'NT AUTHORITY\ANONYMOUS LOGON' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException:
  The permissions granted to user 'NT AUTHORITY\ANONYMOUS LOGON' are insufficient for performing this operation
  However, if we disable Anonymous Authentication, the people picker search option does not work and we get there error:
  Sorry, we're having trouble reaching the server.
  I found this web blog on a solution, https://blog.karstein-consulting.com/2014/02/18/sharepoint-2013-people-picker-error-sorry-were-having-trouble-reaching-the-server/
  however this did not work.
  Does anyone have ant other suggestions?

  Hi JCrescenzo,
  Please try to get the property of the people picker, perhaps there is a rule that implemented on your environment:
  stsadm -o getproperty -propertyname peoplepicker-searchadcustomfilter -url 
  http://site_collection_url
  If yes, clear it by running:
  stsadm -o setproperty -propertyname peoplepicker-searchadcustomfilter -propertyvalue " " -url
  http://site_collection
  There are two similar posts, please check if they are useful for you:
  https://social.technet.microsoft.com/Forums/en-US/621d439b-f2eb-4dc2-8797-eb7f2f3996e4/people-picker-returning-search-filter-is-invalid-in-uls-log-when-searching-for-users?forum=sharepointgeneralprevious
  https://gavinmckay.wordpress.com/2011/07/15/troubleshooting-sharepoint-2010-claims-based-authentication-with-active-directory-lightweight-directory-services-ad-lds/
  Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• Issue with HTTPS in sender soap channel: HTTP 502 Proxy error

  Hi
  We have a situation where we are providing the target url in SOAP receiver channel dynamically.
  This is a synchronous scenario.
  Whenever we use the url starting with "HTTP" it works but on using "HTTPS" we are getting the following error "HTTP 502 Proxy error"
  Kindly help us resolve this issue.

  Hi Anurag
  Have you tried to open the HTTPS  url in the web browser?
  Please check with 3rd party and find out whether the web service supports the HTTPS url or not.
  Please check the doc below. It may help
  502 Bad Gateway Error (What It Is and How To Fix It)

• Webservice with HTTP authentication

  Hi,
  how do i supply the userid an password for a http authenticated webservice.  I already choose the option for http authentication on the security tab on the logical port.
  Alos tried to find it in the Visual Admin to the server but i am stuck.
  Greetings Danny.

  There are two ways to do this
  <b>Option 1: Hard code the Username/Password</b>
  For this, use the method _setUser and _setPassword.
  These are methods for your model class Request_<WebService>_PortType.... (the model class for the webservice). I invoked these methods in the wdDoInit method of the component controller class.
  For example, i imported the WSDL for the RFC SXMB_GET_MESSAGE_LIST and used it like this:
  Request_SXMB_GET_MESSAGE_LISTPortType_SXMB_GET_MESSAGE_LIST oRequest =
  new Request_SXMB_GET_MESSAGE_LISTPortType_SXMB_GET_MESSAGE_LIST();
  oRequest._setUser("bcuser");
  oRequest._setPassword("password");
  <b>Option 2: Use HTTP Destinations</b>
  Open Visual Administrator and goto node Services, Destination Service. Create a HTTP destination with the URL of the webservice, maybe choose basic authentication and give the username / password. Now, you could use this HTTP destination in the component controller class. Even though there is a method _setHTTPDestinationName, this did not work for me. I had to write the following code to retrieve the URL, username, password from the HTTP destination
  import javax.naming.Context;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
  import java.net.HttpURLConnection;
       InitialContext ctx ;
       Object obj;
       DestinationService dstService;
       Destination destination;
       HTTPDestination httpDestination ;
       HttpURLConnection httpurlconnection = null;
       Properties destprop = null;
       String url = "";
       String username = "";
       String password = "";
            ctx = new InitialContext();
            obj = ctx.lookup(DestinationService.JNDI_KEY);
            dstService = (DestinationService) obj;          
            destination = dstService.getDestination("HTTP","NC_IS");
            destprop = destination.getDestinationProperties();
            httpDestination = (HTTPDestination) destination;
            url = httpDestination.getUrl();
            username = destprop.getProperty("USERNAME");
            password = destprop.getProperty("PASSWORD");  
  (I know the java code sucks and the purists will hang me; nevertheless it works)
  Besides the code, you need to do the following as well:
  (1) In the Package explorer, select your project, right click, cick on "Set Additional Libraries.."
  (2) Select security.class and tc/sec/destinations/interface
  (3) Click on menu Project > Properties, goto Webdynpro refereces node in the tree and add the following
      (a) Interface References: tcsecdestinations~interface
      (b) Service References: tcsecdestinations~service
  All the best, try option 1 first before you embark on the second one.
  Regards, Parag.

• Apple Support admitted an Issue with WEP authentication and some Routers

  After reading many posts here and other places I logged a service call to Apple support. With the particulars: AT&T U-verse 2 Wire router would not connect with WEP would connect with Security disabled. I wanted a call logged before I went past the return time
  I got a call back immediately after a few basic questions I was passed to a product manager for ipads, it seems connectivity issues are taken seriously.
  The upper level support said there were known issues with some routers and WEP security we steeped through changing the security and it works fine now.
  Bottom Line:
  Apple knows there is an issue with some routers
  They were very helpful and acknowledged the issue.
  He even stayed on the line while I reconfigured one of my Windows PC to make sure it connected to the new settings
  I suggest to all to log a call and get a tech support involved before taking the iPad to the local store
  They certainly new their are some connectivity issues. If that does not work you can always return it.
  He did not admit it was a Apple issue and did not commit that Apple was working on it but it is something they are aware of.
  So skip the Apple store got right to tech support.
  Just my 2 cents.

  "But folks need to go straight to tech support. I live in oz, so it will be interesting to see if they help me.. or not.. but if support gets inundated they will fix it or have a massive recall (not likely on the latter)."
  Can't agree more. I used to manage a tech support department and it is all about the numbers. No matter how many forum entries the issues that get addressed are dictated by the reports.
  So for those that are buying new routers contact Tech Support first even if you end up getting a new router the call is logged that will get Apple's attention.
  People that are not familiar with post launch processes have no idea how things that need to get corrected and enhanced are dictated by support requests

• SCCM 2012 issue with HTTPS

  Hello,
  I have been trying to get a new SCCM 2012 environment running and I’ve hit a road block and hope someone can help. 
  I have installed SCCM 2012 SP1 w/ CU2 on a Windows 2012 server w/ MS SQL 2012. 
  When I installed SCCM I chose the PKI option and followed the instructions below to setup all the required certificates. 
  I have not yet installed any clients until I’ve verified everything is working correctly on the server.
  PKI Setup Followed -> http://technet.microsoft.com/en-us/library/gg682023.aspx
  The errors I’m seeing-
  Both the Management Point and PORTALWEB are not responding to HTTP requests. 
  “The http status code and text is 401, Unauthorized.”  I was chalking this up to how I have SCCM setup for HTTP only, but I could be wrong in thinking this.
  If I navigate to either
  https://<ServerName>/sms_mp/.sms_aut?mplist OR
  https://<ServerName>/sms_mp/.sms_aut?mpcert I get the error “HTTP Error 403.7 – Forbidden”.
  Below is a log grab from mpcontrol.log
  SSL is enabled.  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Client authentication is also enabled.     
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  CRL Checking is also enabled.     SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Machine name is 'SERVERNAME'.            
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Begin validation of Certificate [Thumbprint xxxxb8aa] issued to 'SERVERNAME' 
  SMS_MP_CONTROL_MANAGER               
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Completed validation of Certificate [Thumbprint xxxxdb8aa] issued to 'SERVERNAME'               
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Skipping this certificate which is not valid for ConfigMgr usage. 
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM       5060 (0x13C4)
  There are no certificate(s) that meet the criteria.             
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM        
  5060 (0x13C4)
  Performing machine FQDN to SAN2 search.        
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Begin validation of Certificate [Thumbprint xxxx8196] issued to 'SERVERNAME' 
  SMS_MP_CONTROL_MANAGER               
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Certificate has "SSL Client Authentication" capability.     
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM        
  5060 (0x13C4)
  Completed validation of Certificate [Thumbprint xxxx8196] issued to 'SERVERNAME'               
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Begin validation of Certificate [Thumbprint xxxx3324] issued to 'SERVERNAME' 
  SMS_MP_CONTROL_MANAGER               
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Certificate has "SSL Client Authentication" capability.     
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM        
  5060 (0x13C4)
  Completed validation of Certificate [Thumbprint xxxx3324] issued to 'SERVERNAME'               
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Begin validation of Certificate [Thumbprint xxxxb8aa] issued to 'SERVERNAME' 
  SMS_MP_CONTROL_MANAGER               
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Completed validation of Certificate [Thumbprint xxxxb8aa] issued to 'SERVERNAME'               
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Begin validation of Certificate [Thumbprint xxxx8bdf] issued to 'SERVERNAME' 
  SMS_MP_CONTROL_MANAGER               
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Certificate doesn't have "SSL Client Authentication" capabilities.              
  SMS_MP_CONTROL_MANAGER               
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Completed validation of Certificate [Thumbprint xxxx8bdf] issued to 'SERVERNAME'               
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  >>> Selected Certificate [Thumbprint xxxx3324] issued to 'SERVERNAME' for HTTPS Client Authentication               
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden               
  SMS_MP_CONTROL_MANAGER             
  8/23/2013 12:37:00 PM  5060 (0x13C4)
  NOTE – “Certificate [Thumbprint xxxx3324]” is the certificate binded to the Default Web Site as instructed in the PKI setup documentation.
  What I have done-
  Verified that the web and client certificates have the same and valid trusted root certificate.
  Disabled CRL checking on web server.
  If I modify the SSL Setting for SMS_MP in IIS to anything other than “Client Certificate: Required” then the 403 error goes away for the MPLIST and MPCERT checks and they are successful. 
  But this is changing the default setting and I am cautious to do this since it will decrease security. 
  Also I’m not sure where else would need to be changed and potentially breaking other functionality.
  Any help on this would be greatly appreciated!  Thank you

  Hello,
  I am still getting the error “HTTP Error 403.7 – Forbidden” when navigating to either
  https://<ServerName>/sms_mp/.sms_aut?mplist OR
  https://<ServerName>/sms_mp/.sms_aut?mpcert .  In the IIS logs I see the below when I try the links above-
  GET /sms_mp/.sms_aut mplist 443 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729)
  - 500 0 64 3
  GET /sms_mp/.sms_aut mplist 443 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729)
  - 403 7 5 5
  GET /sms_mp/.sms_aut mpcert 443 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729)
  - 500 0 64 1
  GET /sms_mp/.sms_aut mpcert 443 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729)
  - 403 7 5 29
  Anyone else seen this issue?  Have a possible resolution?  Thanks!
  When you use Internet Explorer to test out the Management Point, you will have to ensure that you have installed a
  Client Authentication certificate into your Current User certificate store. When Internet Explorer is running under your user account, it will not search for certificates inside the
  Local Computer certificate store.
  Go ahead and enroll your user account in a Client Authentication certificate, and then try the request again. Internet Explorer will detect that a
  Client Authentication certificate is required for the IIS website, and will prompt you to select the appropriate certificate to use for the request. See the screenshot below for an example.
  After selecting the appropriate Client Authentication certificate, the request should succeed, and the XML response you are expecting will be displayed. In my screenshot below, the reason the certificate is not showing as "valid"
  in Internet Explorer, is because it uses the Subject Name format that ConfigMgr requires for site system roles that are accessible from Internet
  and Intranet.
  Cheers,
  Trevor Sullivan
  Microsoft MVP: PowerShell
  If this post was helpful, please click the little "Vote as Helpful" button :)
  Trevor Sullivan
  Trevor Sullivan's Tech Room
  Twitter Profile

• Login issue with sql Authentication

  I create my login with read only sql Authenticator. I made my login through weblogic console. Enable ADF security and specify Authentication welcome given by through system.(Aplication->secure->configure ADF security).
  all of my users and roles are in db table. I am using oracle ADF 11 g 2 release and oracle db 10g.
  now after I log to the system. my log file display following error.
  is it error? I am not used LDAP. pls help me regarding below matter....
  Target URL -- http://localhost:7101/Librarywork-ViewController-context-root/login.html
  <JpsIdentityManagementProvider> <getIdmUserList> WARN_NO_USERS_PATTERN
  oracle.security.idm.ObjectNotFoundException: No User found matching the criteria
       at oracle.security.idm.providers.stdldap.util.DirectSearchResponse.initSearch(DirectSearchResponse.java:173)
       at oracle.security.idm.providers.stdldap.util.NonPagedSearchResponse.<init>(NonPagedSearchResponse.java:53)
       at oracle.security.idm.providers.stdldap.util.NonPagedSearchResponse.<init>(NonPagedSearchResponse.java:44)
       at oracle.security.idm.providers.stdldap.util.LDAPRealm.searchUsers(LDAPRealm.java:489)
       at oracle.security.idm.providers.stdldap.LDIdentityStore.search(LDIdentityStore.java:272)
       at oracle.security.idm.providers.stdldap.LDIdentityStore.searchUsers(LDIdentityStore.java:365)
       at oracle.adf.share.security.providers.jps.JpsIdentityManagementProvider.getIdmUserList(JpsIdentityManagementProvider.java:505)
       at oracle.adf.share.security.providers.jps.JpsIdentityManagementProvider.getUserProfileList(JpsIdentityManagementProvider.java:386)
       at oracle.adf.share.security.identitymanagement.UserManager.getUserProfileList(UserManager.java:314)
       at oracle.adf.share.security.identitymanagement.UserProfile.initialize(UserProfile.java:91)
       at oracle.adf.share.security.identitymanagement.UserProfile.<init>(UserProfile.java:81)
       at oracle.adf.share.security.providers.jps.JpsSecurityContext.getUserProfile(JpsSecurityContext.java:115)
       at oracle.adf.share.ADFContext.getEnterpriseId(ADFContext.java:850)
       at oracle.adfinternal.controller.util.LogUtils.getApplicationName(LogUtils.java:392)
       at oracle.adfinternal.controller.util.LogUtils.gotApplicationName(LogUtils.java:384)
       at oracle.adfinternal.controller.util.LogUtils.getTimer(LogUtils.java:161)
       at oracle.adfinternal.controller.util.LogUtils.getTimer(LogUtils.java:209)
       at oracle.adfinternal.controller.metadata.MetadataServiceImpl.initializePageFlow(MetadataServiceImpl.java:374)
       at oracle.adfinternal.controller.metadata.MetadataServiceImpl.getPerUserCache(MetadataServiceImpl.java:355)
       at oracle.adfinternal.controller.metadata.MetadataServiceImpl.getPerUserCache(MetadataServiceImpl.java:324)
       at oracle.adfinternal.controller.metadata.MetadataServiceImpl.getAdfPageFlow(MetadataServiceImpl.java:180)
       at oracle.adfinternal.controller.metadata.MetadataServiceImpl.getPageFlow(MetadataServiceImpl.java:435)
       at oracle.adfinternal.controller.metadata.MetadataServiceImpl.getActivity(MetadataServiceImpl.java:169)
       at oracle.adfinternal.controller.state.ViewPortContextImpl.getPhysicalURI(ViewPortContextImpl.java:1104)
       at oracle.adfinternal.controller.application.AdfcPageResolver.getPhysicalURI(AdfcPageResolver.java:75)
       at oracle.adf.controller.faces.lifecycle.Utils.getPagePathFromViewId(Utils.java:44)
       at oracle.adfinternal.controller.application.model.UpdateBindingListener.setBindingELVariable(UpdateBindingListener.java:108)
       at oracle.adfinternal.controller.application.model.UpdateBindingListener.beforePhase(UpdateBindingListener.java:61)
       at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.beforePhase(ADFLifecycleImpl.java:550)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchBeforeEvent(LifecycleImpl.java:100)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchBeforePagePhaseEvent(LifecycleImpl.java:147)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchBeforePagePhaseEvent(ADFPhaseListener.java:119)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.beforePhase(ADFPhaseListener.java:63)
       at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.beforePhase(ADFLifecyclePhaseListener.java:44)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:324)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:173)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
       at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
       at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  <ViewHandlerImpl> <_checkTimestamp> Apache Trinidad is running with time-stamp checking enabled. This should not be used in a production environment. See the org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION property in WEB-INF/web.xml
  <UIXEditableValue> <_isBeanValidationAvailable> A Bean Validation provider is not present, therefore bean validation is disabled
  thks.
  thisu..

  This is not error(just wrong log level in one of adf libraries)
  If you don't want to see this message, change log level for oracle.adf.share.security to SEVERE
  You can do that form Enterprise Manager(but you probably don't have that on integrated WLS) or from Weblogic Scripting Tool(WLST), something like this:
  setLogLevel(target=<servername>,logger="oracle.adf.share.security",level="SEVERE", addLogger=1)Dario

• Strange issue with key authentication

  I just installed Arch again after being away for a few years. Almost everything is running smoothly, but I ran into a weird problem with openssh. Namely, I can successfully log in with a  key only if in /etc/ssh/sshd_config instead of the default
  AuthorizedKeysFile .ssh/authorized_keys
  I put
  AuthorizedKeysFile /home/testuser/.ssh/authorized_keys
  Of course I'd like to be able to use key authentication for more than just one user. Any ideas what I should change to make this possible?
  The rest of the config file is:
  # $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
  # This is the sshd server system-wide configuration file. See
  # sshd_config(5) for more information.
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented. Uncommented options change a
  # default value.
  #Port 22
  #AddressFamily any
  ListenAddress 0.0.0.0
  #ListenAddress ::
  # The default requires explicit activation of protocol 1
  #Protocol 2
  # HostKey for protocol version 1
  #HostKey /etc/ssh/ssh_host_key
  # HostKeys for protocol version 2
  #HostKey /etc/ssh/ssh_host_rsa_key
  #HostKey /etc/ssh/ssh_host_dsa_key
  # Lifetime and size of ephemeral version 1 server key
  #KeyRegenerationInterval 1h
  #ServerKeyBits 1024
  # Logging
  # obsoletes QuietMode and FascistLogging
  #SyslogFacility AUTH
  #LogLevel INFO
  # Authentication:
  #LoginGraceTime 2m
  #PermitRootLogin yes
  #StrictModes yes
  MaxAuthTries 6
  #MaxSessions 10
  RSAAuthentication yes
  PubkeyAuthentication yes
  AuthorizedKeysFile /home/ardo/.ssh/authorized_keys
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # To disable tunneled clear text passwords, change to no here!
  PasswordAuthentication yes
  #PermitEmptyPasswords no
  # Change to no to disable s/key passwords
  ChallengeResponseAuthentication no
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication. Depending on your PAM configuration,
  # PAM authentication via ChallengeResponseAuthentication may bypass
  # the setting of "PermitRootLogin without-password".
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
  X11Forwarding yes
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
  #UsePrivilegeSeparation yes
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /var/run/sshd.pid
  #MaxStartups 10
  #PermitTunnel no
  #ChrootDirectory none
  # no default banner path
  #Banner none
  # override default of no subsystems
  Subsystem sftp /usr/lib/ssh/sftp-server
  # Example of overriding settings on a per-user basis
  Match User anoncvs
  #X11Forwarding no
  #AllowTcpForwarding no
  #ForceCommand cvs server

  The default values in sshd_config aren't correct for the location of the authorized key file. See This Bug Post
  Therefore, to resolve this, do one of these
  1) Comment the line "#AuthorizedKeysFile    .ssh/authorized_keys"
  2) Change the line to "AuthorizedKeysFile %h/.ssh/authorized_keys"
  My Original Post:
  I cannot offer any helpful advice for resolution, but I can contribute that I am also having this issue. The default value for the authorized_keys location, as well as "~/.ssh/authorized_keys" does not work, however "/home/<username>/ssh/authorized_keys" does...
  Actually, After a bit of tinkering, I rectified my sshd_config with a .pacnew and it seems to be working, at least with my macbook. Here is my sshd_config:
  # $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
  # This is the sshd server system-wide configuration file. See
  # sshd_config(5) for more information.
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented. Uncommented options change a
  # default value.
  Port 40000
  Port 22
  #AddressFamily any
  ListenAddress 192.168.1.103
  #ListenAddress ::
  # The default requires explicit activation of protocol 1
  #Protocol 2
  # HostKey for protocol version 1
  #HostKey /etc/ssh/ssh_host_key
  # HostKeys for protocol version 2
  #HostKey /etc/ssh/ssh_host_rsa_key
  #HostKey /etc/ssh/ssh_host_dsa_key
  # Lifetime and size of ephemeral version 1 server key
  #KeyRegenerationInterval 1h
  #ServerKeyBits 1024
  # Logging
  # obsoletes QuietMode and FascistLogging
  #SyslogFacility AUTH
  #LogLevel INFO
  # Authentication:
  LoginGraceTime 2m
  PermitRootLogin no
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
  #RSAAuthentication yes
  #PubkeyAuthentication yes
  #AuthorizedKeysFile .ssh/authorized_keys
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # To disable tunneled clear text passwords, change to no here!
  #PasswordAuthentication yes
  #PermitEmptyPasswords no
  # Change to no to disable s/key passwords
  ChallengeResponseAuthentication no
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication. Depending on your PAM configuration,
  # PAM authentication via ChallengeResponseAuthentication may bypass
  # the setting of "PermitRootLogin without-password".
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  AllowAgentForwarding yes
  AllowTcpForwarding yes
  #GatewayPorts no
  X11Forwarding yes
  X11DisplayOffset 10
  X11UseLocalhost yes
  PrintMotd yes
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
  #UsePrivilegeSeparation yes
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /var/run/sshd.pid
  #MaxStartups 10
  #PermitTunnel no
  #ChrootDirectory none
  # no default banner path
  #Banner none
  # override default of no subsystems
  Subsystem sftp /usr/lib/ssh/sftp-server
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  # X11Forwarding no
  # AllowTcpForwarding no
  # ForceCommand cvs server
  Last edited by losl (2010-04-12 15:31:46)

• Issue with SAP Authentication in a Windows 2003 64 Bits Server

  Hi Experts
      I have an issue in a Windows 2003 64 Bits Server in CMC when i'm in the authentication section i choose SAP the Role Import works fine and I can see the Users Group from SAP BW but the users don't appear.
      I try the same thing in a Windows 2003 32 Bits with the same parameters and works fine i can see de User Groups and The Users from the same BW Server.
  I Think i could be a problem with the 64 bits server the issue is the users from SAP BW are not imported.
  Regards Marvin Soto.

  Hi Ingo,
                we have some thing similar issue. can you please help us out.
  We Imported users and in options we selected concurrent and every thing worked fine up to 1 month and then automatically our license key say you have only 2 named users. we have a license key for 100 named users now. do we need to delete all the concurrent users from sap now and we need to re-import them by selecting named in options tab of sap. what is the work around for this. i tested by changing the one of the sap user profile to named instead of concurrent, then i am able to login to infoview using sap credentials but when i open a report its says you don't have enough license to perform this operation. can i know why is this happening.
              Environment:
                                     BOBJ XI 3.1, SUN SOLARIS, SAP INTEGRATION KIT.
  Thanks,
  SK.
  Edited by: Siva Vallabhaneni on May 27, 2009 3:28 PM

• Strange Issue with IIS authentication in Clustered BAM environment

  Here's my configuration:
  Cluster #1 - prbam01
  Node 1 pbm101
  Node 2 pbm102
  This cluster is running ADC, event service, enterprise link, and IIS (IIS up on both nodes)
  Cluster #2 - prbam02
  Node 1 pbm103
  This cluster is running report cache and IIS. End users will hit this IIS for reports, admin, etc.
  Problem:
  The IIS on cluster 1, node 1 (pbm101) will never authenticate when trying to access the BAM web pages with any URL (http://prbam01/oraclebam or http://pbm101/oraclebam). It exhibits this behaviour whether it is the active cluster node or not. Cluster 1, node 2 exhibits correct behaviour in that it works at URL http://pbm102/oraclebam at all times and at http://prbam01/oraclebam when it is the active node.
  I have check IIS security settings and they appear exactly the same on both boxes. ADC and everything else seems to be running ok when node 1 is the active node, just the BAM web pages do not authenticate.

  This seems to be an IIS specific problem on pbm101 alone.
  Did you check the directory security settings for the OracleBAM application on pbmbam101 ? Any of the authenticated access methods should be enabled, or users cannot access certain pages from the local network, since IIS would be using anonymous authenication. That would normally not be a problem, but for IE sending in credentials that will be different from the account on the IIS server used for anonymous access. I suggest copying the directory security settings from the other node in the cluster (for all directories!!).
  Another additional point is that IIS ultimately uses file and directory permissions to resolve access rights. So you can check the permissions on the public folders used by IIS and ASP.Net.