L2tp authentication question

Similar Messages

• IDM Password Reset Authentication Questions

  Hi,
  We are implementing Password Self Service using IDM 7.1, everything is set up and we have tested and were able to reset password for users to connected target systems. we are now doing some cosmetic changes before going live, like
  setting up new authentication questions and changing existing questions from IDM.
  In total we have 10 questions and the way we set it is
  Minimum number of validation questions = 5
  No. of questions to show = 3
  No. of answers required = 3
  After setting all 10 questions, i took a new test id who was never set with a profile and set its profile with 5 random questions answers out of 10 and saved it, went back to   /idm/pwdrest  and entered the unique id which is the user id and the 3 challenge questions it showed up were not the ones i set my answers to.
  Why is it prompting the questions for which i have not set answers to ?
  Can anyone tell me if i am missing any config creating these attributes ?? or its the way IDM works ??
  Thanks.

  Greetings,
  It has been my experience that the system will show any of the available questions when a user has not had any answers set. Sometimes, there is a disconnect with the Unique ID entered and the user ID stored in the identity store and it just cannot find the stored answers. As long as the additional question attributes you created follow the existing convention, they should be fine.
  I would start by looking at what question attributes you have commited for the user and which ones show in the pwdreset task screen for the user. You can also run the guided task several times with the same ID to see what rotation of questions you see to see if it is going through all 10 or only a certain subset.
  Do you have a self-service task configured to set the question answers?
  Thanks,
  Jared

• Authentication Questions Deleted When Saving User View

  I am working with IDM version 6, SP1
  We wish to start using the user self server reset password function.
  Howerver, the user authentication questions and answeres keep getting deleted.
  Any time a user view is checked out and checked back in, the questions are deleted.
  This happens from the Admin Interface, from workflows, and even from the BPE.
  Has anyone seen this before and if so is there a fix?
  Upgrading is a concideration but is not on the "Todo" list for quite a while.
  This is a real problem as it is stopping us from moving forward with user self serve password resets.
  Regards
  Mike F.

  We have a similar issue with version 7.0. I had posted questions about it here (forums) and have an open bug report in with Sun.
  Searching on another forum (which you may or may not have access to), it looks like there is a bug -- at least in in version 7.0 -- where several pages are +"doing a setViewId and not setting it to readonly, so a checkout was done on the user for every page"+. It sounds like this bug may be fixed in version 7.1 and later. If I search through the jsps, I see liberal calls to "form.setViewId()".
  I haven't yet tried explicitly setting these calls to readonly (I don't even know what the syntax would be at this point). Your problem sounds somewhat different (ours only occurs on failed validations) but perhaps you are seeing a similar bug in version 6.
  In case you are interested, my issue is described in this post:
  http://forums.sun.com/thread.jspa?forumID=764&threadID=5414572
  That's the problem description, not a description of the fix. And while it talks about a different problem, we also see cases where if a validation fails when the user is entering data, AuthN questions are deleted, which is what makes me think this may be a similar problem.

• More than 10 authentication questions?

  Hi,
  Is there a way to set more than 10 authentication questions on an account policy? E.g. via the API?
  We're using Identity Manager 8.1.
  Thanks,
  Lachlan.

  Ok, good to know it can be done. I tried this, but it didn't seem to work unless the "id" attribute for each question had a valid value. Did you fill in the ids for the questions yourself? If so, how did you determine what they should be?

• Authentication questions I never answered

  when I try to buy something from my itunes account with my iphone it asks for authentication questions that I have never seen or answered before. How can I fix this?ASu

  You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
  (120440)

• Authentication Question in SAP IDM 7.1

  Hi All,
  I am currently working on SAP IDM 7.1 , My requirement is to set authentication question in SAP IDM and enforce the same at the first time login of the user. Presently I am setting my authentication question answer in OOB attributes -- MX_AUTH_Q01   - Q05.
  For the first time login user i am getting the default password change screen , thereafter i need to enforce Set Authentication for every user , logged in for first time. Please, suggest if SAP provides any feature like this to  set authentication question, at the time of login. Thanks in advance
  Regards
  Swati Pandey

  Hi Christian,
  I have implemented the security question using the same concept i.e by limiting access to process throgh access control.  Now, my requirement is to store Dynamic question in user profile, i.e users can store his/her own custom question /answer. Do we have any such facility in sap idm, presently the auth question provided are static for each user profile.
  Thanks
  Swati Pandey

• Weblogic security authentication; question to interact with the realm

  Hi, I have a quick question about weblogic security authentication....
  We are using weblogic 81sp3. We have user-group info in an Novell eDirectory LDAP server.
  Currently, a Novell Authenticator provider is configured under : Security > Realms > myRealm > Providers > Authentication This tells Weblogic from where to get the user and groups. Weblogic caches this information of the logged on users for certain time ( example : 60 secs ) after which it cleans the cache for all inactive users. We want to interact with the Weblogic cache. Add more user profile information to this cache and use it in our application .
  Does somebody know how to programmatically interact with Weblogic user-group cache - read , write , update and delete user-group info in cache and control time to live for the cache ?

  already checked
  TTLCache class which weblogic provides. But they seem to depracetd it
  help ?

• Receiver SOAP adapter - User authentication question

  XI experts,
  Here is the scenario - IDOC > XI > SOAP - Ansynchronous call..
  I need your all help to understand the user authentication on the "Receiver SOAP Adapter"... We are using "HTTP" transport protocol.
  I believe, the userid which we entered in the communication channel needs to have proper security on the web server. The Web server URL starts with "http://lsme
  01.xyz.com/...." .
  Question : Is this usrid and password will be encrypted when XI calls this web service?
  If an answer is "NO" then is there anyway we can encrypt it?
  Thanks in advance!
  Points will be given..
  MP

  XI experts,
  I need an answer to the following question....
  The Web server URL starts with "http://lsme01.xyz.com/...." .
  Question : Is this usrid and password will be encrypted when XI calls this web service?
  If an answer is "NO" then is there anyway we can encrypt it?
  Thanks in advance!
  Points will be given..
  MP

• Oracle BAM Authentication Question

  We are facing a strange problem related to Oracle BAM authentication and I'd like to ask for opinions or suggestions.
  - We have a BAM Server called MYSERVER
  - MYSERVER is a Win2003 and BAM was installed using MYSERVER\Administrator account
  - We have a domain called MYDOMAIN
  - MYSERVER is part of domain MYDOMAIN and this domain is registered in MYSERVER as a trusted domain.
  - We have four user groups created in domain, not in bam server:
  1) MYDOMAIN\bamAdmin
  2) MYDOMAIN\bamArchitect
  3) MYDOMAIN\bamDesigner
  2) MYDOMAIN\bamUser
  - In Windows 2003 we added the following users to the groups below:
  user MYDOMAIN\adm was added to group MYDOMAIN\bamAdmin
  user MYDOMAIN\arch was added to group MYDOMAIN\bamArchitect
  user MYDOMAIN\des was added to group MYDOMAIN\bamDesigner
  user MYDOMAIN\usr was added to group MYDOMAIN\bamUser
  - In Administrator>Login Management
  We didn't create login for users, only groups just described:
  MYDOMAIN\bamAdmin
  MYDOMAIN\bamArchitect
  MYDOMAIN\bamDesigner
  MYDOMAIN\bamUser
  - In Administrator>Roles Management
  We selected each Role and added the following groups
  Administrator > MYDOMAIN\bamAdmin
  Report Architect > MYDOMAIN\bamArchitect
  Report Creator > MYDOMAIN\bamDesigner
  Report Viewer > MYDOMAIN\bamUser
  - After that, we return to Administrator > Login Management to review groups
  There is an yellow question mark indicating bam cannot validate this login in domain controller.
  This login is not currently known to be a valid login.
  We click in one of the described groups, such as
  MYDOMAIN\bamUser
  And then in "View Roles" link.
  We receive the following message
  ADC Server exception in GetUserGroups(): 3.
  Source: "ActiveDataCache" ID: "ADCServerException"
  Logon failure: unknown user name or bad password
  Source: "Oracle.BAM.Common.Core"
  Sometimes we get: "Network path not found" and finally we get this message:
  "The account used to run the Oracle BAM Active Data Cache does not have permission to retrieve the list of groups for this user. Contact your network administrator."
  - If MYDOMAIN\usr that was added to group MYDOMAIN\bamUser try to access BAM Viewer module or bam home page (http://myserver/oracleBam), he receives the same error in welcome screen.
  - User MYDOMAIN\usr can login to MYSERVER server in domain MYDOMAIN, so server recognizes the domain and user.
  - In Windows NT Alert Viewer we have several errors/warnings registered, telling that BAM could not validate user/login and also "RPC Server Unavailable" errors.
  - I tried changing ADC Service user credentials to MYDOMAIN\Administrator, but ADC Service didn't start anymore, so we have to reconfigure to MYSERVER\Administrator.
  - In ADC Log we have several messages indicating BAM could not validate user:
  2008-01-22 17:26:11,875 [User Validation Thread] WARN - ActiveDataCache Caught exception while validating user MYDOMAIN\usr: Logon failure: unknown user name or bad password
  And when we changed credentials to MYDOMAIN\Administrator we got messages indicating bam stores some type of key/encrypt information by user who installed product (MYSERVER/Administrator):
  2008-01-22 16:49:16,062 [1484] ERROR - ActiveDataCache DPAPI was unable to decrypt data. CryptUnprotectData failed. Error -2146893813: Key not valid for use in specified state.
  Somebody may point us what could be wrong, perhaps a tip or doc about WINDOWS/BAM auth integration?
  Metalink has few information about that, such as Note: 412555.1, but from network view it seems to be correct because we may log on MYDOMAIN\usr to MYSERVER successfully.
  Bam could integrate to NT user authentication seamlessly, but it seems to me that it's harder and tricky than we thought.
  Any ideas?
  Thank you in advance,
  Rogério

  Hi,
  Windows services running as local user can not do domain user authentication (even when machine is on that domain)
  You will need to change ADC Service user credentials to MYDOMAIN\Administrator. If you just do this only in services, service wont start because the database passwords in config files are encrypted as original user and can not be decrypted by new user.
  See "Working with Post-Install Password Changes and Password Expiration Policies" in the BAM Install Guide (In chapter 3 under Additional Configuration Settings) to change the config files. And also add MYSERVER\Administrator to BAM Administrator group before change.
  The easiest may be to just reinstall as user MYDOMAIN\Administrator.
  Thanks
  Ranga

• Certificate Based Authentication - Questions and Authentication Modules

  Hi Everyone
  I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
  The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
  What I now need to achieve is authentication base on one of these two way :
  - user and password authentication (which is working)
  - Certificate based authentication ( working on it )
  To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
  When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
  Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
  From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
  So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
  2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
  3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
  All for now,
  Thank you all for your help
  Rp

  Hi Rp,
  We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
  First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
  Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
  Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
  Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
  HTH,
  Vivek

• External authentication question

  Hello,
  I am running an apex app in a secured environment. The authentication is handled by the environment, and a username passed to apex pages in a server variable, which I am able to use to set apex_application.g_user. Now, the user is only able to access apex pages via the security proxies, which make sure that the user is authenticated, etc. All page requests go through these security proxy servers.
  Now, my question is this: I've set the g_user in a custom page sentry function. I don't know a whole lot about this stuff, and so just deleted all of the session-verification stuff from the function that I copied, and return true always. Because, I'm thinking, the security proxies take care of all that. Is that okay? Or should I set that value somewhere else, and leave things that I don't understand alone? If so, where?
  Here's my page_sentry function:
  create or replace FUNCTION custom_Page_Sentry_Func (p_htmldb_user VARCHAR2 DEFAULT 'APEX_PUBLIC_USER' )RETURN BOOLEAN AS
  l_authenticated_username VARCHAR2(256) := nvl(UPPER(OWA_UTIL.GET_CGI_ENV('HTTP_IV_USER')),'NOT_AF_AUTH');
  IS_USER NUMBER := 0;
  L_CURRENT_SID NUMBER;
  BEGIN
  --The server is behind the login system, so if the ApEx pages are shown, the login has succeeded (and we will find the cookie)
  -- If logged in user is not a user (doesn't exists in USERS table)
  -- THEN create a record in the table
  SELECT COUNT(*)
  INTO IS_USER
  FROM USERS
  WHERE USERNAME = l_authenticated_username ;
  IF IS_USER = 0 THEN
  INSERT INTO USERS (USERNAME,SSN) VALUES (l_authenticated_username,'111111111');
  END IF;
  apex_application.g_user := l_authenticated_username;
  RETURN TRUE;
  END custom_Page_Sentry_Func;
  Thanks, -warren

  I am setting g_user so that I can see auditing info in the DB, etc.
  The database won't be aware of that value unless you set it into a context, e.g., by using dbms_session.set_identifier or some such device. You would pass v('APP_USER') into such a call that you could run as the VPD block of your application (edit application securiyt attributes to find that field).
  But my apex "user" is APEX_PUBLIC_USER, same user for everyone. I'm not going to inadvertantly change that by calling the things that get called in the nmlt (or whatever it's called) page sentry function with my externally authenticated username, am I?
  Correct.
  Scott

• EAP-TLS User and machine authentication question

  Hello,
  i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
  i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
  What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
  thanks in advanced
  alex

  Sounds like you rather want to use PEAP/MSChapV2

• Security & authentication  question

  Hi,
  I have in my env. sharepoint portal, authentication is against the Active directory, then it should call a webservice in XI which calls a BAPi in R3.
  Can XI handle the security here passing the call to R3 from sharepoint? can i use any tickets here?

  Hi Udi,
  If I am reading your question correctly, you want to know if XI can take the user context from the sharepoint portal and pass it on to the R/3 backend, i.e. logging on to R/3 using the same user as is logged on to sharepoint. The answer, unfortunately, is no. AFAIK the only current way to accomplish this is to include the username in the actual message content and pass this on to the R/3 system; then on the R/3 system code the necessary authority checks against the provided username. Be aware though, that you cannot use the usual authority-check functionality for this.
  Regards,
  Thorsten

• SharePoint - authentication question and error message

  When I try to add a data source bound to a SharePoint list, I receive an error message "an error occurred while retrieving SharePoint lists". I'm not sure, but I'm assuming this may be an authentication issue (the Microsoft account I'm using
  does not have access to our SharePoint server, I use a separate account for that). My question is: would this be the cause of the error message and if so, how/where would I set authentication up for the data source?

  More info from ULS viewer:
  02/18/2014 13:56:33.63 w3wp.exe (0x14B8) 0x16C0 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 e973759c-f025-c061-a37a-3d6b6639b7bd
  I have a feeling this is related to ADFS? We aren't supporting ADFS on our farm at the moment.

• Open Directory authentication question

  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?

  mickey13 wrote:
  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?
  This should work the same way as normal.
  Define the user accounts in Open Directory as normal via Workgroup Manager
  On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
  On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
  Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
  Click on the 10.5 share point and save the user account.
  I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
  It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
  What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.