MAD Authenticator with  BAM users

Similar Messages

• Oracle 10g Rel 2  - Proxy connection authentication with SAP User ID

  Dear Experts,
  We are currently doing some research and planning to upgrade SAP R/3 4.6C to ECC 6 and upgrading Oracle from version 9.2 to 10.2
  In upgrading to Oracle vers. 10g Rel 2, we got advised that Oracle has apparently introduced a new proxy connection authentication, in which the SAP user ID is given limited privileges (create session only) ??
  If you have any information on this or known any impact about this issue, please advise us.
  Thanks in advance.

  Thanks for your help, Kaushal.
  I also found the SAP Note 834917 (Oracle Database 10g: New database role SAPCONN and it seems to be on a right direction to cope with that problem.
  - For Oracle releases earlier than 10gR2, the CONNECT role includes extensive database authorizations and the more restrictive CONNECT as of 10gR2.
  - To overcome this restriction, SAP need to find a way to compensate this, so does it come SAPCONN.
  - SAPCONN is the new SAP-specific database role, which is defined to support the normal SAP applications operations (CONNECT, RESOURCE and SELECT_CATALOG_ROLE).
  Once again, thanks.

• Kerberos authentication with Active Directory

  I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
  I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
  How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
  I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
  import java.io.*;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class krb5ADLogin1 {
  public static void main(String[] args){
  LoginContext lc = null;
  try {
  lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
  lc.login();
  catch(Exception e){
  e.printStackTrace();
  Here is my config file:
  krb5ADLogin1 {
  com.sun.security.auth.module.Krb5LoginModule required;
  The command I use to start the program is:
  java -Djava.security.krb5.realm=mydomain.com
  -Djava.security.krb5.kdc=DomainController.mydomain.com
  -Djava.security.auth.login.config=sample.conf krb5ADLogin1

  Hi there ... the Sun web site has the following snippet:
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
  + javax.security.auth.login.LoginException: KrbException::
  Pre-authentication information was invalid (24) - Preauthentication failed
  Cause 1: The password entered is incorrect.
  Solution 1: Verify the password.
  Cause 2: If you are using the keytab to get the key (e.g., by
  setting the useKeyTab option to true in the Krb5LoginModule entry
  in the JAAS login configuration file), then the key might have
  changed since you updated the keytab.
  Solution 2: Consult your Kerberos documentation to generate a new
  keytab and use that keytab.
  Cause 3: Clock skew - If the time on the KDC and on the client
  differ significanlty (typically 5 minutes), this error can be
  returned.
  Solution 3: Synchronize the clocks (or have a system administrator
  do so).
  Good luck,
  -Derek

• BAM-00404: Authentication failed. User is marked inactive - BPM 11.1.1.6.0

  Hello experts!
  We have installed a brand new BPM Suite server with everything in the latest PS5 (11.1.1.6.0).
  We have successfully integrated User authentication with our Active Directory by creating an additional Provider in Weblogic. Such integrated authentication also works for Oracle BPM and the BPM Workspace.
  However, BAM is not working properly. Users can login to BAM, but after 5 minutes their users get flagged inactive by a background thread which can only be reverted by a System Administrator.
  The problem happens because we use Active Directory as the external authenticator and we do not use "cn" as the User Name attribute; instead we use sAMAccountName. We cannot change this setup though, as the AD is used in many applications across the company.
  We have followed all steps from document http://www.oracle.com/technetwork/middleware/bam/technote-bam-multiplesecurityprovid-130532.pdf but the background check is still active. My understanding is that we either change the User Name attribute to "cn" or we must disable the background verification. We want to accomplish the later, but we have not been successful so far. I'm wondering if this is a bug in the latest version or if there's something else that should be set in this version.
  Does anyone have an idea which could help us?
  Thanks,
  Bruno

  We are experiencing the same authenication issue in Oracle BAM as described above and are also running on an installation with the latest PS5 (11.1.1.6.0). When logging in with a user from the active directory provider the user will be set to inactive. Note, we are also having the user name attribute set to "sAMAccountName", but adding the property in the jps-config.xml did not help.
  If anyone managed to resolve this authenication issue we would really appreciate to know your solution.
  Thanks.

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan

• Authenticating, Authorizing VPN user with AAA

  Hello,
  I have ACS1113(4.2) solution Engine and ASA 5550 which have been integrated with ACS. I need to authenticate and authorize the VPN users form ACS.
  Also I need to have different access for different group in ACS
  please help me in this.
  Thanks
  Ritesh

  Hi,
  I am finding one problem. Well I have done the configurations in ASA for Authentication through ACS but when attempt to autehnticate through user then i get autehentication message. here is the command configure in ASA and debug msg
  Command:
  aaa-server ACSCHN protocol radius
  aaa-server ACSCHN (WAN) host 10.132.15.26
  key _____
  aaa authentication telnet console ACSCHN LOCAL
  aaa authentication enable console ACSCHN LOCAL
  Debug Msg:
  Initiating authentication to primary server (Svr Grp: ACSCHN)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server:
  AAA FSM: In AAA_SendMsg
  User: wipro
  Resp:
  In localauth_ioctl
  Local authentication of user wipro
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 868, pAcb = 1a3363f8
  aaa_backend_callback: Error: sorry
  AAA task: aaa_process_msg(185f00e8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = ACSCHN, author svr = , user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 868, pAcb is 1a3363f8, pAcb->tq.tqh_first is 1841ce20
  AAA API: In aaa_close
  AAA task: aaa_process_msg(185f00e8) received message type 3
  In aaai_close_session (868)
  Please help why it authenticated with internal server not with ACS server.
  Regards
  Ritesh

• How do I view the list of wireless routers my ipad has successfully authenticated with, and if possible when the last connection to each was made?

  How do I view the list of wireless routers my ipad has successfully authenticated with, and if possible when the last connection to each was made?

  The information is of course stored on the device, but currently thee is no way to get to it. It is unknown whether iOS stores the date info for each connection.
  As to whether a program can be written, its likely it can, but unlikely it can be done by anyone other than Apple, as by design, 3rd party Apps are not allowed to core system functions like that so its unlikely any App could list your connection history.
  As has been said to remove a single connection from the iPad you need to be in range of it, tap the circle on the right side of the router name, and then tap on Forget this network.

• Machine and User authentication with ISE 1.2.1

  Hi ,
  Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
  Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
  Thanks 
  Pranav

  is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• I burned a slideshow with iDVD, professional quality selected, 16:9 aspect ratio selected.  The quality of the finished product is much below that seen on my computer.  I have watched slideshows made by other imac users which look great.

  I have burned a slideshow from an iphoto album through iDVD, with "pro quality and 16:9 aspect ratio" selected on a double layer dvd.  When viewed, the picture quality is much inferior to that of the photos on my computer.  I have viewed slideshows made others with mac software and the pictures are much better.  My tv is HD 1080 wide screen and disc player is new.  What am I missing?

  That's more an iDVD problem and you should ask your question there: iDVD.
  The resident expert there, Bengt Wärleby, will be able to give you suggestions on how to proceed.  He's very, very good.
  OT

• Mac adress authentication with Radius

  Hello all
  we have an WiFi architecture based on two Radius servers (ACS 3.2)
  We make a Mac adress authentication with WEP on these Radius servers. Ours Wirelless cards are Proxim Orinoco. When we used the user and the passord identified by the mac adress manualy that works.
  But, the authentication by Mac adress with the wireless card don't work. The log on the radius servers are "CS PASSWORD INVALID".
  Ideas ?
  Regards

  First ensure the password on the access point and the authentication server is the same. I have had this trouble getting authenitcated with ACS for admin authentication. Installing it on another machine made it work. So try uninstalling ACS completely using the recovery CD and reinstall it to check if this works.

• Broken SSL/TLS SMTP authentication with Outlook Express

  Hi All,
  I've created two ports for SMTP-Authentication with required SSL/TLS : port 25 and port 587. Everythings work fine on port 25 (both smtp-auth and ssl/tls works).
  But when using Outlook Express with port 587, the problems happens:
  Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'pop.cbn.net.id', Server: 'smtps.cbn.net.id', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F
  I've already disable windows firewall, Desktop Antivirus etc. but still not works.
  Does anyone has the same problem? Thank you.

  Sorry I'm a little late to the party.
  This is a bug in OE. It is attempting to do an SSL negotiation immediately when the connection opens, like what a web browser does for HTTPS connections, rather than using the STARTTLS mechanism to start TLS in the middle of the connection. In other words, it's attempting to use the old, never actually standardized SMTPS protocol if you attempt to do secure SMTP on any port other than 25. When we deployed mandatory SSL/TLS here, we had to deploy an SMTPS server on port 465, just for OE users (our mail relay server is not an IronPort).
  SMTPS was never standardized, never even made it past one Internet-Draft. It's allocation of port 465 was later revoked by IANA and reassigned to another protocol. Yet it was treated as gospel by many mail client authors. I refused to support it on our mail server until it became obvious that OE simply wouldn't work otherwise (getting correct STARTTLS operation by using port 25 is not always available because of ISPs doing port 25 blocking). I don't blame IronPort in the least for not supporting it, although it does make this situation harder to resolve.
  I have learned to hate OE.

• SAP NW CE 7.1: Sign-on to R/3 backend with Portal User

  Hello,
  I have create a an Application Service. There I have imported some RFC and created some operations to read data from the R/3 backend and write in R/3 backend.
  I have created an other Development Component. It's a EJB Module. With EJB invocation I get access to the Application Service.
  The next step is to use the EJBs with Web Dynpro with the an EJB Model Import.
  Now my questions:
  How can I realize that this user who sign on in portal and excute the Web Dynpro Application also sign on at R/3 backend. In NWA at Destinations I changed the <i>Logon Data--Authentication</i> from <i>Technical User</i> to <i>Current User (Logon Ticket)</i>.
  Now I get the following exception:
  java.lang.IllegalStateException: No SAP logon ticket found for destination TDE.
  I execute the methods of the EJB in a test-class via JDNI-lookup.
  <b>How can I create a logon ticket for my destination?</b>
  Do I have "only" to follow the instructions here for http://help.sap.com/saphelp_nwce10/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm for Scenario 1?
  <b>How can I deliver CAF the userid and password?</b>
  I implemented a test-class where I use the EJB of the EJB Module. How can I give CAF the userid and password of an PortalUser?
  Redards,
  Armin

  Hi Armin,
  Unfortunately, I cannot answer your question about logon tickets. But regarding user propagation to the CAF Application Service:
  When you access the Portal / WD app, you authenticate with some user. The latter is automatically propagated to the EJB in the EJB module and then to the EJB implementing the CAF service. So, you don't need to do anything explicitly.
  HTH!
  -- Vladimir

• How to use your own database with your users to authenticate in a Web app?

  Hello, everybody!
  I'm starting to write my first web application and I'm going to use JSF, JPA and EJB3 in this application. One of the first things that I have to do on it is the authentication part where I'll have a page with a user name and a password for the user to login. So, as I'm new to all this in Java (I've already implemented this on .NET in the past), I was studying the Java EE 5 Tutorial, especifically the section "Example: Using Form-Based Authentication with a JSP Page". But I saw that the users that the sample application uses come from the file realm on the Application Server. The users are created there and assigned a name, a password and a group. After the users are in the Application Server we can simply uses forms authentication declaratively in the deployment descriptor (web.xml).
  But the problem is that this doesn't work to me as I already have my own database with my users, so I want to use it instead of having to create the users on the Application Server.
  So, I'm asking you how to do that. Of course I'm not expecting that you place the code here to me as I know that such a thing could be complicated. Instead, I'm asking if you know about some tutorial, article, book or something that teaches how to do what I want. But I would like to see theses examples using JSF and/or EJB3 because these are the technologies that I'm using to develop. It's a pity that the Java EE 5 Tutorial doesn't have an example using a custom database as I know that this situation is very common in the majority of web sites.
  Thank you very much.
  Marcos

  From memory, it goes like this... You just create a
  raw jdbc connection on your user database using a
  special "login" DB user account, which has
  permissions only to an "authenticate" stored query,
  which accepts two arguments: username & password, and
  returns a boolean 0 or 1 rows found.When I implemented this in .NET's ASP.NET I had the same solution. I had an special user created in the database that I used to log in. When the real user entered his username and password I was already logged in and I had just to check his username and password agains the right table in my database.
  But that was only possible bacause when I connected to the database using my hidden user, I used the rights APIs in ASP.NET that coordinate the authentication process. This means that before login in, no one could access any resources (pages, atc...). So what I'm saying is that I can't manager this manually in Java. Java has to have some API or whatever to allow me to control the login process programmatically, while letting the Application Server control the access to the resources.

• Share music on same mac with different user accounts

  I'll try to make this clear, i have an imac with a large itunes collection. my two kids have accounts on that same mac, and want to be able to listen to what i have in my itunes. i can't see putting three copies of the same music on the same computer. is there a way to let them play what i have in my itunes account while they are logged in to their own account on the same computer?
  imac (5 years old)   Mac OS X (10.4.6)   macbook, G4 I book, I book, Imac
  macbook w/ superdrive, G4 with combo drive, I-book w/o cd burner   Mac OS X (10.4.6)   macbook, G4 I book, I book, Imac

  Jase, you said "Music sharing works across different user accounts, whether they are on the same computer or different computers", but my son will log into his account where he currently has no music. in the window on the left, we can see the other computers in the house that are on line, but there is no sign of the master account (on that same imac). i assume this is because the master account is not logged in, therefore the secondary accounts can't find the master account's music, nor can I from a remote computer ( my macbook, for example). for instance, right now from my macbook i can see my son's itunes list (on the imac) in my "share window" (even though his list is empty). he can also see my macbooks list in his "share window". he cannot see either my list on that imac, or his sisters list on that same imac. all acounts on the imac have sharing turned on, as well as "look for shared music" turned on.
  i guess the focus is on this: can the master user itunes list be made available to other users on that same computer while they are logged in as other users (and the master account is logged off, which it has to be in order for the secondary accounts to be logged in, right?) I can't think of any other way to ask this, so i hope that clarified what we have tried and what we are asking for.

• Sharing one library with two user accounts.

  I want to share one iTunes library with two user accounts on the same iMac.
  I've followed the tutorial where you move the iTunes Music folder to a shared location HD/Shared/iTunes and then pointed both iTunes to that location via the advanced menu, but only the admin account has the music. The other user account iTunes shows nothing.
  Also, I've now moved the music folder back to my area on the HD (not shared any more) and now the iTunes music folder shows all the album folders where before I guess they were hidden. Why and how do I get it back to how it was...?
  All we're trying to do is share one mac. My wife and I have our own log in user accounts, but want to have the same music and iPhotos accessible on our own set-ups.
  Thanks for any help.

  Out of interest I got this to work.
  I made a folder called 'All Music' and put all the album folders in it.
  Moved this folder to User/Shared/ and then clicked on the file, and Get Info.
  In Get Info added my wife to Sharing & Permissions as Read & Write.
  In iTunes / Advanced found the folder on my user account, and then did the same on my wife's account and hit add to library.
  I hope this was the right way to do it..... It seems to have worked.