JBoss 7 and BlazeDS Authentication

Similar Messages

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Graphics builder and os authentication

  I'm running on NT 4 sp6. I'm trying to get OS authentication working with graphics. It works great for forms and reports, but I cannot get graphics builder or the graphics runtime to work with os authentication. I've tried it with developer 2000 r2 and 6i release 2. Thanks is advance.
  null

  Is the state of OCCI and OS Authentication still the same? Or has it changed in the 2.5 years since this question was first asked and answered?
  I've yet to find any indication that it is now supported, but could I confirmation of that fact?
  If it is not, what is the Oracle recommended method for accomplishing this?

• Remote users sending email - RBL and SMTP authentication

  I've read about the problem of using RBL's with remote Outlook IMAP/SMTP users who may be using dynamically assigned IP addresses. There is a good chance that they will be appear on the RBL and so not be able to send email via the GWIA.
  One work around is to have them send their email via their ISP's SMTP server, but this is a pain, because when they are back in the office, then need to switch their SMTP server back to the inhouse one.
  So on the GW 7.0.3 server running on SLES 10, I wondered if the one host could handle multiple GWIA's??
  1st existing GWIA:
  To handle the regular in/out email with RBL's protection on it.
  2nd new GWIA on a separate port but same IP address to handle just inbound email. This would be used by remote users and require authentication so no need for an RBL on it.
  Is this a sound approach?
  Any gotchas for setting up two gwia's on the one server and IP address besides separate ports?
  I am aware there is the option of using the Groupiwse client or webmail, but firstly these users don't want to change from 'LookOut" due to their address book synch with their mobile phones and secondly sometimes they like to use their smart phones for remote email synchronisation.

  Maybe I should simplify this a little...
  Can the one host handle multiple GWIA's??
  1st existing GWIA:
  To handle the regular in/out email with RBL's protection on it.
  2nd new GWIA on the same host and IP address, but on a separate port to handle just inbound email. This would be used by remote users and require authentication.

• What are the versions required for JBOSS,JDK and ORACLE to setup the ATG 10.2.

  Hi Folks,
  Could you please share, What are the versions required for JBOSS, JDK and ORACLE to setup the ATG 10.2.
  Thank you.

  In case you don't have access to MOS :
  JBOSS : 5.1.2 EAP
  JDK : 1.6.0_38
  ORACLE :
  Oracle Exadata5
  Oracle 10gR2 (10.2.0.3)
  Oracle 10gR2 RAC (10.2.0.3)
  Oracle 11gR2 (11.2.0.2.0)
  Oracle 11gR2 RAC (11.2.0.2.0)

• Can we provide UN and pwd Authentication 4r SMTP Mail Configuration

  Dear All,
  Previously we are able to send the mails from SAP to Outside World. After chaning the Mail Server to MS Exchange 2003
  We enabled the Port the 25.
  We are facing a problem While configuring a mail via SMTP for Exchange Server 2003.
  Throws an Error Message:
  Internal error: CL_SMTP_RESPONSE ESMTP error code is not known. 554 554 > : Recipient add
  As per network Team :
  Unless we provide a Username and password, the Send/Receive process does not happen.
  Is there any option in SAP - SMTP Mail Configuration to Provide user and password Authentication.
  I searched in SDN as well as in market place. but i could not succeed. Please guide me the process.
  Regards
  SNB.

  Hi we are configuring Google SMTP getting below error..
  No delivery to xxx.com, authentication required
  Message no. XS856
  Diagnosis
  The message was processed successfully in the SAP system. The mail server that is to receive the message for further processing requires authentication. Probably there is no logon data specified in the SAPconnect configuration.
  Information from external system (if available)
  smtp.gmail.com:587
  530 5.7.0 Must issue a STARTTLS command first. i91sm11178241qgd.25 - gsmtp
  Procedure
  Enter the logon data in the SAPconnect node.
  Using Gmail SMTP server using "smtp.gmail.com" with port 587
  Please advise.
  Regards,
  Sudarshan

• XI 3.1 Client Tools and LDAP Authentication

  I have Business Objects XI 3.1 SP2 installed.  For the web clients (InfoView) single sign on and LDAP authentication are working correctly.  However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
  [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
  Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

  Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
  Take a look at note 1272536 (http://service.sap.com/notes)
  Regards,
  Stratos

• Username and Password authentication

  Hi,
  I am new to both JDBC and MSSQL. I've been connecting to msSQL server without providing username and password (DriverManager.getConnection(String url)). I am wondering how to enforce the username and password authentication so that username and password have to be verified before a connection is made. Thanks in advance.

  but where can I get the username & password? I can get
  the connection even with any username & password, why?Hi WeiHang,
  This is regarding the options you have set in the SQL Server. You have to choose from Windows NT authentication and SQL Server Authentication. If you give SQL Server authentication you have mentioned the username and password and you can connect to database simple using DSN(if you are using JDBC-ODBC). However if you choose WindowsNT authentication you donot specify the user name and password there and you have to enter the same at runtime.
  Hope this can help you

• Get an error for changing the windows authentication mode to the both SQL and windows authentication mode

  I installed the SQL server Express 2008 R2 and then SQL Server Management Studio 2008 R2 . But during the installation, I could not choose the both SQL and windows authentication mode and an error accrued so I did that just with windows authentication mode. 
  Now, I want to change the windows authentication mode account to the SQL authentication mode but it shows me an error which is you do not have permission (Although I am the administrator in windows), what can I do?
  Following steps are the steps that I went but I got an error:
  Server properties >> security >> choose the option of SQL Server and Windows Authentication mode 
  and the error that I got is attached(access is denied)  
  Can you please help me?

  You can change the setting after you gain admin rights to your SQL Server. You don't admin rights automatically, you have to explicitly add yourself during the install
  Here's a guide on how to (re)gain those rights:
  http://v-consult.be/2011/05/26/recover-sa-password-microsoft-sql-server-2008-r2/

• Cisco ISE (1.3) Posture and re-authentication

  Hello,
  With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
  Is there a way to work around this?
  Regards,
  Dennis

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

  Hi Experts,
  We have the following requirements:
  1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
  2. ECC6 user-id's differ from Active Directory user.
  3. User logs in to Active Directory.
  4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
  5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
  The following suggested solution was the closest to the requirement (without to much technical detail):
  1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
  This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
  2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
  This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
  Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
  Regards.

  AJP,
  The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
  If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
  Thankyou,
  Tim

• OS-X - 802.1x and machine authentication

  Hi all
  I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
  The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
  Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
  - Does anybody have made the same experiences ?
  - Has anyone managed to get this running ?
  - Can anyone provide me config examples, hint or tipps ?
  Everything is very much appreciated since this is an urgent request.
  Many thanks in advance
  Best regards
  Roman

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Security attributes, qfp and un-authenticated users

  Hi,
  I have some observations regarding security attributes, query filter plugins and un-authenticated users that I would like your comments on.
  I am developing a custom crawler, a will be using OID for authentication. Not all users will be authenticated (hence they should only have access to content considered public). Authorization is done by the document source (using the option "ACLs controlled by the source").
  I am quite sure that I have read somewhere that not adding a security attribute for a certain document leads to the document being treated as public.
  Observations:
  A) Query filter plugins will only be called for authenticated users
  B) At crawl-time, not adding a defined security attribute leads to the document not being indexed
  Observation B means that my security attribute has to be added for every document (for the public documents populated with a value representing public access). Observation A means that the query filter will not be invoked for un-authenticated users (hence, they won't see any of the indexed documents, since all have security attributes).
  Question:
  How should I ensure that the documents considered public are available for unauthenticated users?
  Regards,
  Rune

  Hi all,
  I seem to have had inaccurate logging , so my assumption A is false.
  Then I have a simple workaround (add a special security attribute value for public documents), and you can forget about my question.
  regards,
  Rune