Jabber SSO for PKI / Kerberos LogOn via Card&fingerPrint

Similar Messages

• SSO For Jabber 10.5

  Hi,
  Has anyone Configured SSO for Jabber successfully with CUCM 10.5 Version.
  I am getting following error after Exchanging Meta Data with ADFS Server.
  Can anyone suggest further troubleshooting steps. Of if there is any detailed guide for SSO with jabber please advice.
  Thanks

  You may verify your configuration from the below guides. There are sample configurations.
  Enable SAML SSO in Jabber Clients Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/jabber-windows/118774-configure-jabber-00.html
  AD FS Version 2.0 Setup for SAML SSO Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118771-configure-samlsso-00.html
  Unified Communications Manager Version 10.5 SAML SSO Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-version-105/118770-configure-cucm-00.html
  Unity Connection Version 10.5 SAML SSO Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/118772-configure-ucxn-00.html
  SAML SSO Setup with Kerberos Authentication Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/jabber-windows/118773-configure-kerberos-00.html

• MIT Kerberos integration via Oracle ASO for Instant Client

  Is Oracle planning on adding support for the Oracle ASO module (specifically for the use of MIT Kerberos authentication) to the Oracle Instant Client?
  Last time I checked (about 2 years ago) they had not, but I'm hoping they are working on it.
  Update: I originally posted this back in Feb 2007, and now it's June 2007...... No replies..... Does anyone know if Oracle will add support for MIT Kerberos Authentication to the Instant Client?
  Message was edited by:
  dkwhisle

  I haven't seen many requests of ASO support being requested for Instant Client nor have I heard of it being included any time soon (in any Instant Client-related press). You should pose the question to Oracle support or your Oracle sales representative.

• "SSO" for non-sap web application using SAPGUI to browse?

  I have a web application (non SAP) and the user base are also SAP users in an ABAP system.
  To strengthen the authentication in the web app, I wanted to implement SSO 
  authentication as we pity the users for having to remember so many strong pw's and I
  dont like LDAP based pw sync or other technology I dont understand, because then we are
  just yet another application with the same pw...
  We are having technical problems implementing SSO on the web app side, and are anyway a
  bit sceptical about the user admin / role admin assignment if we get it to work.
  So I have created a transaction in SAP which browses the web app and the intention is to
  send the SAP sy-uname as the web app user. We can control this using s_tcode, and
  an own auth object on the WAS side and a check on the session type before the connection is
  established. In this sense we are dependent on the SAP concept implemented, but even so:
  The role assignment is controlled in the web app itself -> so assume that I am not overly
  worried about unauthorized access to the web application, as they would not have any
  system role for it as their sy-uname does not exist. (Infact we can monitor this)
  The browser on the front end is the SAPGUI with html controls on the SAP side.
  I would be interested in knowing whether anyone else has experience with this approach, and
  whether there are any areas to be carefull of?
  I would also like to know whether this is a strategic error?
  Kind regards,
  Julius

  Hi Julius,
  well, if that web application would run on the same ABAP backend system then the solution described in <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0612670">SAP Note 612670</a> would be applicable:
  a so-called "Re-entrance ticket" (based on the "SAP logon ticket" SSO proceedings) is issued, transported via the SAPGUI connection and back to the system via the invoked HTML control.
  But for non-SAP web applications that does not help.
  In that case only X.509 client certificates can be used for SSO. Actually, the web application could then also be invoked directly (independent from the SAPGUI session). The user is authenticated based on the X.509 client certificate - and not based on the ABAP userID (of the SAPGUI session).
  Well, if you don't mind the effort you could also use the "SAP Logon Ticket evaluation library" (sapssoext, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0304450">SAP Note 304450</a>) to evalute the SAP logon ticket externally. You'll then need to have a "stub application" at the ABAP side that triggers the http redirect to your external web application. Not a nice solution but a possible one.
  In the future SAML browser artifacts would be an option (preferable to integrate non-SAP applications). But currently that's not available (for NWAS ABAP).
  Cheers, Wolfgang

• CRM single sign on (SSO) to R/3 system via ITS 6.20

  Hi all
  I try to configue CRM2007 single sign on (SSO) to R/3 system via ITS 6.20.
  my configuraion process
  1. on CRM2007
  -profile : login/accept_sso2_ticket = 1
                login/create_sso2_ticket = 2
  - t-code : strustsso2 --> export system PSE
  2. on R/3 system
  - profile : login/accept_sso2_ticket = 1
                 login/create_sso2_ticket = 0
  - t-code : strust --> import certification --> add certification list --> save
  - t-code : oss2 --> execute with crm rfcdestination --> all green.
  3. ITS
  ~appserver      r/3.domain
  ~client     
  ~clientcert      1
  ~cookies      1
  ~exiturl     
  ~hostsecure      itshost.domain
  ~hostunsecure      itshost.domain
  ~language     
  ~login     
  ~logingroup     
  ~messageserver     
  ~multiinstanceservices      1
  ~password     
  ~portsecure      443
  ~portunsecure      80
  ~routestring     
  ~runtimemode      pm
  ~systemname      R/3 SID
  ~systemnumber      R/3 system no
  ~theme      99
  ~timeout      600
  ~urlimage      /sap/its/graphics
  ~urlmime      /sap/its/mimes
  ~usertimeout      240
  ~xgateway      sapdiag
  ~xgateways      sapdiag,sapxgwfc,sapxginet,sapextauth
  ~mysapcomgetsso2cookie 
  ~mysapcomusesso2cookie  1
  ~mysapcomssonoits  1
  for SSO check, execute web ui and then log on web ui
  I go to the Interation center and then go to the ERP information.
  but ITS log on screen appear.
  crm user and r/3 user is same.
  how can I do ??

  You use Server Port 3600, message server.
  It means, while creating a system you used wrong template and picked "SAP system using dedicated application server".
  You should use "SAP system with load balancing", since message server is doing load balancing.
  Once you selected correct template you will see "Message Server" instead of App and GW servers.
  Make sure to fill in
  Group  - Logon group to use. If not defined in R3, use SPACE
  Message Server - ansapdev01
  SAP Client = 150
  SAP System ID <SID> = DEV
  Server Port 3600
  System Type = SAP R/3
  It should work.
  Regards,
  Slava

• SSO for Enterprise Portal 6 with different Portal and R/3 userIDs

  Hi there,
  We are using SNC library for SAP GUI logon to R/3 and SPNEGO for Web access to EP. What works for us currently is:
  SSO from Windows logon to Portal using SPNego (LDAP as our datasource with AD)
  However once we are inside the portal, the SSO to R/3 using SNC is not working. I have my Portal user mapped to my R/3 user as they are different usernames.
  But, if i launch SAP GUI on its own i can SSO into R/3 no problem.
  So, i have 3 queries here!
  1) Why am i not able to SSO into R/3 once i have SSO into Portal?
  2) Is there any way around the high maintenance of the user mapping?
  3) I have read on SAP Help about "Using an LDAP Directory Attribute as the ABAP User ID" but this will still require user / administrator to maintain the R/3 password.
  Is it possible to disable the R/3 password and thus have no maintenance as the R/3 (ABAP) User ID will be stored in LDAP attribute?
  Hoping you can help...
  Thanks.

  Answers below:
  1)
  When you say "ITS" I assume you are referring to the Integrated ITS in NetWeaver, not the external ITS product ?
  Anyway, if you are referring to Integrated ITS, then surely you are using webgui, not SAP GUI. The webgui is accessed via browser and is not related to SNC or SAP GUI product. The SAP GUI product is a Windows application that uses SNC to authenticate to SAP systems.
  If you are logged onto portal, which is a J2EE application and trying to access webgui which is running on ABAP Engine, then this might not work becasue your SSO2 trust is not setup correctly. Do you see an error in work process log saying anything about why the SSO2 ticket is not accepted ? Also, if ABAP and JAVA are on same system and Java Engine was installed as an add-in, you might need to create new SSO2 certificates to avoid a clash, and change client number from 000 to something else so SSO2 tickets issued in J2EE engine are differentiated from SSO2 tickets issued by ABAP Engine, but they are still trusted through configuration in STRUSTSSO2 t-code.
  2)
  You need to use a different product, which is available from a SAP partner to do this. I am not allowed to mention third party products on this forum, so if you want to know more you will have to contact me offline via email.
  3)
  See answer to question 2.
  Thanks,
  Tim

• Setting up SSO with SNC/Kerberos

  I'm trying to setup SSO for SAPGui with backend ECC5 on Windows 2003. I have followed the section of the install guide called SAP WebAS 6.40 SR1 because I can't find a ECC5 version so possibly what I am trying to do is not possible?
  Steps that I did...
  1. I've downloaded the gsskrb5.dll and put in c:\windows\system32
  2. Added the profile parameters:
  snc/enable = 1
  snc/identity/as = p:SAPServiceIDS{at symbol}sscit.com.au
  snc/gssapi_lib = C:\WINDOWS\system32\gsskrb5.dll
  3. I'm still using the local account at this stage because I'm not sure how to create a domain account that can start the sap instance on this machine. I also have played with Service Principle but again I'm not sure really what I am doing.
  So anyhow, after I made the parameter changes and restarted the sap instance the dispatcher soon failed with the following errors in all the wp logs...
  rdisp/reinitialize_code_page -> 0
  M  icm/accept_remote_trace_level -> 0
  M  rdisp/no_hooks_for_sqlbreak -> 0
  N  SncInit(): Initializing Secure Network Communication (SNC)
  N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
  N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)
  N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)
  N  SncInit():   found snc/data_protection/use=9, using 3 (Privacy Level)
  N  SncInit(): found  snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll
  N    File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
  N  *** ERROR => SncPDLInit(): gss_indicate_mechs() failed
  N   [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT  [sncxxdl.c 452]
  N        GSS-API(maj): Miscellaneous Failure
  N        GSS-API(min): Kerberos SSPI not usable with this User account
  N      STOP! -- initial call to gss_indicate_mechs() failed
  M  *** ERROR => ErrISetSys: error info too large [err.c        931]
  M  Wed Oct 08 10:06:29 2008
  M  LOCATION    SAP-Server redback_IDS_11 on host redback (wp 15)
  M  ERROR       GSS-API(maj): Miscellaneous Failure
  M  GSS-API(min): Kerberos SSPI not usable with this User account
  M  STOP! -- initial call to gss_indicate_mechs() failed
  M  TIME        Wed Oct 08 10:06:29 2008
  M  RELEASE     640
  M  COMPONENT   SNC (Secure Network Communication)
  M  VERSION     5
  M  RC          -1
  M  MODULE      sncxxdl.c
  M  LINE        452
  M  DETAIL      SncPDLInit(
  M  SYSTEM CALL gss_indicate_mechs
  M  ERRNO      
  M  ERRNO TEXT 
  M  DESCR MSG NO
  M  DESCR VARGS GSS-API(maj): Miscellaneous Failure;;;;
  M  ;;;;GSS-API(min): Kerberos SSPI not usable with this User account;;;;
  M  ;;;;STOP! -- initial call to gss_indicate_mechs() failed
  M  DETAIL MSG N
  M  DETAIL VARGS
  M  COUNTER     1
  N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) C:\WINDOWS\system32\gsskrb5.dll not loaded
  N   [sncxxdl.0604]<<- ERROR: SncInit()==SNCERR_INIT
  N           sec_avail = "false"
  M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c    223]
  M  *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c    225]
  M  in_ThErrHandle: 1
  M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   9461]
  I also tried the gsstest and got the following log file...
  TEST: acquiring default initiating credentials (simple)
  RESULT  OK
  TEST: acquiring default initiating credentials (query)
  RESULT  OK
  TEST: acquiring initiating credentials (gss_name_t)
  RESULT  OK
  TEST: acquiring initiating credentials (printable name)
  RESULT  OK
  TEST: acquiring initiating credentials (can. printable name)
  RESULT  OK
  TEST: acquiring accepting credentials for target (printable name)
    for identity "SAPServiceIDS{at symbol}sscit.com.au"
  Status:  gss_acquire_cred Acc() == (GSS_S_NO_CRED)
           gss_display_status(0x00070000,GSS_S_GSS_CODE) =
             "No valid credentials provided (or available)"
           gss_display_status(0x1360000d,GSS_S_MECH_CODE) =
             "SSPI::AccSctx#1()==Logon attempt failed"
  RESULT  NOT ok (rc=1)
  TEST: acquiring accepting credentials for target (can. printable name)
  Status:  gss_acquire_cred Acc() == (GSS_S_NO_CRED)
           gss_display_status(0x00070000,GSS_S_GSS_CODE) =
             "No valid credentials provided (or available)"
           gss_display_status(0x1360000d,GSS_S_MECH_CODE) =
             "SSPI::AccSctx#1()==Logon attempt failed"
  RESULT  NOT ok (rc=1)
  Note: I've changed the @'s to {at symbol} to get message posted.
  I hope somebody is able to help me progress past this.
  Thank you.

  Hello all,
  I'm sorry if someone has invested time looking into this for me. I have resolved it. Basiscally as per OSS Note 352295, "Kerberos authentication is only available for Domain Accounts that are managed by Microsoft Active Directory, NOT for local computer users". So I went through the excercise of changing the sap services to start with a domain account instead of the local account, this also required setting up the new ops$ account in oracle, then it all seamed to work pretty much as the doco said it would.

• Deploying SSO for enterprise CA web enrollment page

  Hi
  as we know, about enterprise CA, when connect to CA web enrollment page, it asks us to enter our domain account credentials. since we have logged in to our windows, via Domain user account, is there any method to deploy SSO for that? i mean
  when domain user logges in, the page be opened automatically without prompting for domain credentials again.
  any link for instructions to how to deploy that?
  thanks in advanced

  On Tue, 7 Apr 2015 13:25:57 +0000, john.s2011 wrote:
  as we know, about enterprise CA, when connect to CA web enrollment page, it asks us to enter our domain account credentials. since we have logged in to our windows, via Domain user account, is there any method to deploy SSO for that? i mean
  when domain user logges in, the page be opened automatically without prompting for domain credentials again.
  any link for instructions to how to deploy that
  Add the site to the Trusted Sites zone, then change the security settings
  in IE to allow logon with current user name for Trusted Sites.
  Paul Adare - FIM CM MVP
  Give a man a fire and he's warm for a day, set a man on fire and he's
  warm for the rest of his life. -- the fish analogy, according to Simon
  Cozens
  Hi Paul.
  great guide, thanks.
  i also noticed that if we add that to local intranet zone, SSO is deployed without any further configuration.

• SSO FOR NON SAP APPLICATIONS

  SSO for non sap applications in EP on which siteminder sso is integrated
  Posted: Aug 28, 2006 7:09 AM        Reply      E-mail this post 
  Hi ,
  we have implemented Siteminder on SAP PORTAL 6 SP16 for authentication.I would like to integrate non sap application in Portal.I could not find any documentaion for setting up non sap application's in portal on which siteminder external authentication is implemented.
  can anybody help for getting step by step document.
  diff rewards to be given

  Hi,
  if you have access to service.sap.com via S-User, you can download "SAP Enterprise Portal Security Guide" in the portal section. It has dedicated descriptions about SSO-Settings, also about netegrity.
  You can also search help.sap.com about "SSO" which gives you overview descriptions.
  On SAP Service Net, there is also an pdf "Integrating Security functions" in the Netweaver 2004s Portal section, where the description of the Java API for the PDK is included. This is very helpfull for coding.

• Jabber voice for iPhone 9.1.7 crashes on iPhone 5S

  Few users reported that Jabber voice for iPhone crashes on 5S after updating to latest 9.1.7 version. App loads, register to CUCM but crashes when using dial pad and application closes itself. App works on iPhone 4.
  Does anyone else have the same issue?

  The following error is reported via Console:
  iPhone ReportCrash[4722] <Notice>: Saved crashreport to /var/mobile/Library/Logs/CrashReporter/Jabber Voice_2014-05-19-083318_"removedname".plist using uid: 0 gid: 0, synthetic_euid: 501 egid: 0
  May 19 08:33:19 iPhone Jabber Voice[4724] <Warning>: Stderr redirected to: /var/mobile/Applications/0CDDD8A3-0BD0-40DA-AFCA-8B32C71B0187/Documents/Logs/Jabber Voice-2014-05-19-08331907-Console.log
  May 19 08:33:19 iPhone Jabber Voice[4724] <Notice>: (Error) [ABLog]: ABPeoplePickerNavigationController does not support subclassing in iOS 7.0 and later. In the future, a nil instance will be returned.
  Issue happens on iPhone 5S running 7.0.6 or 7.1.1 iOS. 

• SSO for prompts with Crystal and BW in BO XI 3.1 SP3

  Hello together,
  i have a question regarding Crystal and SSO based on a Bex Query.
  I created a Crystal report based on a Bex Query.
  Saved this to BW und published it with the BW Publisher to BOE (SAP Int. Kit is installed).
  In the Cmc i set the report to SSO for prompts.
  I logon to BOE with my SAP User and Password.
  Try to run the Crystal.
  Unfortunately it does not work, i get an logon error message for the Database.
  Can somebody help me why this happen?
  Thx a lot
  Br
  Mike

  Hi Ingo,
  sorry for my late response, i had no chance to access the system.
  It is no error, it is just the Database Logon
  "The report you requested requires further information."
  But how can i avoid this Logon und use SSO?
  Thanks a lot for your help.
  Best Regards
  Mike

• I think i got ripped off by this verizon store , I got the 4 line $140.00 edge plan, which I had to pay for the phone in monthly payment, i did the math it was 268.00 total..  At check out this guy charge me $50.00 care package for each phone and sim card

  I think i got ripped off by this verizon store , I got the 4 line $140.00 edge plan, which I had to pay for the phone in monthly payment, i did the math it was 268.00 total..  At check out this guy charge me $50.00 care package for each phone and sim card which was $10.00 , $25.00 set up with TCP and he said the rest was tax.  I had to pay $474.36.. my brother went to costco and did the same verizon deal he didn't have to pay anything...

  Welcome to this forum.
  This is a customer to customer forum only, where forum members, who are only BT customers, can help each other with BT Retail products and services.
  Anything you post here does not go to BT. Although the forum is moderated by BT, not all posts are read.
  I have asked a moderator to provide assistance, they will post an invite on this thread.
  They are the only BT employees on this forum, and are a UK based team of people, who take personal ownership of your problem.
  Once you get a reply, make sure that you are logged into the forum, then click on their name, you will see a screen like this. Click on the link as shown below.
  Please do not send them a personal message, as they may not be on duty for a long time, and your message will not be tracked properly.
  For your own security, do not post any personal details, on this forum. That includes any tracking number you are give.
  They will respond either by phone or e-mail within 5-6 working days.
  Please use the tracked e-mail, to reply, not via the forum. Thanks
  This is the form you should see when you click on the link. If you do not see this form, then you have selected the wrong link.
  When you submit the form, you will receive an enquiry number, so please keep a note of it
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• How to use SSO for some sites

  I have one SSO certificate provided in IE and some of my corresponding sites refer to this SSO while logging in.
  This works perfectly well in chrome as well, however same sites do not recognize SSO certificate and prompt for Logon credentials while accessing in firefox

  Hi Daniel,
  Yes, you can use SSO for your purpose. One of the over-looked features of SSO is to use as configuration store. Especially for storing the credentials for accessing your external
  systems.
  Create an
  affiliate application in SSO and save your credentials in there. And in send port, under security tab you can select the affiliate application to use the credentials.
  Read this article on this topic. This article gives you the detailed information starting from access required to create affiliate application, ways to read data
  from SSO.
  Building and Executing
  a BizTalk Single Sign On Scenario
  Single Sign-On Support for the WCF Adapters
  If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

• HT2534 How can I check my balance for my I tunes gift card on my I pad?

  How can I check my balance for my I tunes gift card on my I pad?

  You can view the balance of your iTunes account : on my iPad it shows at the bottom of, for example, the Featured tab in the App Store app under my account id (or you can view your account via Settings > iTunes & App Store and it should show on the screen that you are taken to). If your balance is zero then it might not show.

• Do not require smartcard for specific user logon

  Hi everyone!
  I set up a GPO setting for some application server "Interactive logon: Require smart card" to "enabled". So, now I need to allow a specific user (admin, for example) to logon to this computer without smartcard. How can I do this?
  Note, that I need to allow only one user to logon without smartcard and other users must use their smartcards (but strongly they must use smartcards only for this application server - so, they should be able to logon to other domain computers without smartcard).
  How can I reach this goal?

  > Require smart card" to "enabled". So, now I need to allow a specific
  > user (admin, for example) to logon to this computer without smartcard.
  > How can I do this?
  To be honest: You cannot. Your setting is a computer setting and has no
  exception possibilities for a subset of users. The other solution (AD
  account properties of users) have no exception possibilities, too.
  To me, it seems this user needs 2 accounts... One with "smartcard
  required" to logon to all other computers and a second one that can only
  logon to this computer (user rights: "allow logon locally").
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))