Network security: Configure encryption types allowed for Kerberos-Windows 2008

Similar Messages

• "No subtransaction type allowed for this invoice"

  Dear Gurus
  While creating excise invoice (j1iin) from billing I am getting an error "No subtransaction type allowed for this invoice" . I get this error when I try to save the excise invoice. I am using subtransaction type.
  The required config for subtransaction is done. The necessary excise account detemination is done.The config done is
  1. excise account per transaction
  2. G/ L account per excise.
  Is there any setting that is missing?
  Regards,
  DDP

  Hello,
  Please have a check again for the below and the sub transaction type
  G/L accounts  sub transaction type
  default groups for all the combinations that are relevant for your transaction
  if it still does not work, re login and check again
  these are the only settings through the sub transaction is activated
  else have a debug with abaper to know the cause as the last option
  Thanks
  akasha

• Error message:enter rate GBP/MYR rate type M for 01.05.2008

  When we try to post the GL account document using t-code F-02 the
  system does not allow us to post by pop up an error message Enter rate
  GBP?MYR rate type M for 01.05.2008 in the system setting.

  You must have update the OB08 table for GBP to MYR for 'M'
  But not maintained for MYR to GBP. for 'm'
  If your local currency is MYR and GBP is a direct quote always maintain:-
  M -  1 GBP   agansi direct say 40 MYR
  M - 0.02 MYR indirect against 1 GBP 
  Regards,
  Alok

• How to Configure Active-Passive oracle cluster in Windows 2008 R2 64bit Server.

  How to Configure Active-Passive oracle cluster in Windows 2008 R2 64bit Server With Oracle 11g R2.
  How many database will play in this role.
  Best,

  hello
  I was going through your post and i am also doing the same thing here at our organisation for Oracle 10g R2
  Can you pls send me any docs u r having for configuration of Oracle in windows clusters .
  And, can you pls elaborate on this point
  e)Create Oracle Service with the same name in the 2nd node and copy all the files like spfile,tnsnames.ora,listener.ora,password file to Node2.
  Pls send me the details at [email protected] or you can contact me at 08054641476.
  Thanks in advance.

• How to configure Login Modules Stack for Kerberos/LDAP

  Hello collegues,
  currenty we are working on UME configuration for the following use case.
  Clustered portal instance NW2004s running on AIX should be able to authenificate two groups of users.
  The first one is described by LDAP Data Source (Sun Directory Server) and using some artificial unique userID. Based on this userID, the SSO Ticket is created to get acces to the backend R/3 system. The LDAP schema has an "userdomain" attribute in it.
  The new group using ADS. These users are happy using it, because they have windows-based authentification and don't forced to type any credentials during login.
  There are plenty of blogs decribing how to connect ADS (even as a second DataSource) to UME.
  There are two unsolved problems: 
  1. ADS account attributes does not have the userID needed to get an SSO Ticket
  2. LDAP DataSource has no ADS password and can not be used for Kerberos authentification.
  What could be a solution for this case? I am sure we need an extra login module which enrich the Subject (user, which is already authentificated by SPNego module) with userID, selected from LDAP DataSource based on user attributes.
  Is there any other solution? May be I can mix some attributes in a DataSource configuration file?
  Best regards
  Sergej Naimark

  Hi Frank,
  did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
  You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
  Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
  Let me know if this helps...
  Yonko

• Account types allowed for document type

  Hello,
  when i am in the edit mode of document types through IMG, i can see the account types listed and can select the account types which can be posted with this document type.
  but the issue is there are only 5 account types predefined, what if i have added a new account type?
  Thanks

  No clasification is required for GL accounts to account types.
  If a document type is assigned to account types then you can post documents using a document type only to the respective account types.
  Say for example,
  You have a document type XY for which you have selected the account types D and K, then the document type XY can be used only to post to vendor and customer subledger and you can not use the doc type for rest of the three account types.,

• Configure Encryption Notifcation Templates for IronPort Email Encryption

  We are running a Cisco C100V Email Security Virtual Appliance and are going to start using the IronPort Email Encryption capabilities to send secure email to recipients outside of our organization.
  I see under Mail Polices --> Text Resources that you can create an "Encryption Notification Template" HTML or text based that gives a general message to a recipient on what to do when they receive this secure email using this process.
  Is there a way that I can customize that template a little more?  I would like to add at least our corporate logo to that template just to make things more visible to the recipient who the message is coming from.
  Ive tried to copy and paste the HTML code out and edit it throwing a <IMG> tag in with a URL as the source back to a logo I put in a folder on our public website however it didn't work.
  Can this be done or am I just stuck with the dull as dishwasher framework of that template..?
  Thanks.

  Yes - you can edit the template to include the logo, or anything you wish --- standard HTML encoding applies...
  Here - I have added in the Pittsburgh Pirates "P" logo --->
  My HTML code --- only choosing to add a NEW template in the text resources, using the template wording --- and inserting the BOLD RED section w/ the image location for the Pirate "P" source:
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
  <html>
   <head>
    <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
    <meta name=version
     content="$RCSfile: PostXMessage.html,v $ $Revision: 1.10 $">
    <title>Secure Email Message</title>
   </head>
   <body bgcolor="#EEEEEE">
    <table align=center style="width:80%;border:1px solid #336699;
     background-color:white">
     <tr>
      <td>
       <table width="95%" cellspacing=0 cellpadding=0 align=center>
        <tr>
         <td>&nbsp;</td>
        </tr>
        <tr>
         <th style="font-family:Verdana,sans-serif;font-weight:700;
          font-size:10pt;text-align:left;color:#333333">
          You have received a secure message
         </th>
        </tr>
        <tr>
         <td style="border-top:1px solid black">&nbsp;</td>
        </tr>
        <tr>
  <img  src="http://pittsburgh.pirates.mlb.com/images/homepage/team/y2011/footer/pit.png" border="0">
         <td style="font-family:Verdana,sans-serif;font-size:8pt;
          text-align:left;color:black">
            <strong>Read your secure message by opening the attachment,
            ${AttachmentName}.</strong> You will be prompted to open (view)
            the file or save (download) it to your computer. For best
            results, save the file first, then open it in a Web browser.
            To access from a mobile device, forward this message to
            [email protected] to receive a mobile login URL.
            <br><br>
            If you have concerns about the validity of this message, contact
            the sender directly.
            <br>
            <p>
            <strong>First time users -</strong> will need to register after
            opening the attachment. For more information, click the following Help link.
            <br>
            <strong>Help -</strong> <a href="https://res.cisco.com/websafe/help?topic=RegEnvelope">https://res.cisco.com/websafe/help?topic=RegEnvelope</a><br>
            <strong>About Cisco Registered Email Service -</strong> <a href="https://res.cisco.com/websafe/about">https://res.cisco.com/websafe/about</a>
            </p>
          </td>
        </tr>
        <tr>
         <td>&nbsp;</td>
        </tr>
       </table>
      </td>
     </tr>
    </table>
   </body>
  </html>
  Test your HTML coding out before hand if you need --->
  Can you test the code from this site:
  http://www.w3schools.com/TAGS/tryit.asp?filename=tryhtml_pre
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• How can I configure radius to allow a non-windows device to authenticate with a certificate?

  I currently have a 2008r2 server with NPS acting as a radius server for our wireless network.  The existing rules are setup to allow access based on windows group membership.  I need to get a wireless jetdirect connected to the wifi network.  
  If I create a certificate for this device with key usage settings for client auth / server auth, can it authenticate to radius with that cert?  
  How would I set up a NPS policy to allow this device, since it's not a domain member and not a member of the windows groups?

  Hi there -
  I asked the NPS team about this, and following is their response:
  Yes, it’s possible but it’s a very manual process.  I will give you the easy steps then the hard ones.
  Easy(relative):
   Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
  Export the cert with the private key
  Import on all workstations/devices that require it.
  Pros:
  Relatively easy to create the cert and manage the account
  Cons:
  Single certificate used on multiple machines
  Certificate does not accurately reflect the name of the device
  Hard:
  Create an account in AD
  Issue a certificate from a template that allows the private key to be exported
  Using name mappings, attach the certificate to the account
  Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com
  Install certificate on to target workstation/device
  Pros:
  Relatively, more secure than previous steps as you create a single account/certificate pair per device
  Cons:
  Not very manageable
  Thanks -
  James McIllece

• What movie-video type files for a windows PC

  I have some movies (4.m4v type files) and videos (flv files) that I wish to send to a windows PC user.
  Will they be able to view them with their normal windows software, or will I have to convert them
  to other type files - if so... what type ?
  Thanks
  K

  I recommend Gom Player. It can handle a wide variety of file formats including the ones you have stated. It is free and can be downloaded from http://www.gomlab.com. It can also play incomplete files and thus, very useful for unfinished downloads.

• How to encrypt a folder for a windows user from Lion?

  How to I encrypt a folder to be sent to a Windows user without recurring to the command line.
  I have Stuffit 13 but get an error message. Upgrading seems over-kill. Willing to try another utility if necessary.
  Tommy

  Write an encrypted zip folder.

• Resetting the EventRecordId for a Windows 2008 R2 event log

  Can the EventRecordId of a Windows event log  be reset? to 0?
  I can clean the log but the EventRecordIid does not reset.
  If so, how can one do this?

  According to MSDN,
  The RecordNumber member
  of EVENTLOGRECORD contains
  the record number for the event log record. The very first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches ULONG_MAX, the next record number will be 0
  This means RecordNumber should never exceed ULONG_MAX which is about 4 billion. How can people get RecordNumber of 18 billion? Does this mean there is some bug in windows event log? Thanks for clarification.

• Exchange Server Restarts Automatically After Configuring Allowed Kerberos Encryption Types

  Hi,
  Our Exchange 2013 SP1 servers are installed on Windows Server 2012 R2. After configuring "Network security: Configure encryption types allowed for Kerberos" to AES256_HMAC_SHA1
  only. The Exchange Servers began rebooting automatically. But after adding RC4_HMAC_MD5, the issue stopped.
  Does this means that Exchange 2013 SP1 requires RC4_HMAC_MD5 as an allowed Kerberos encryption type?

  this will help you to understand...
  http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
  Thanks Prem P Rana MCSA Messaging 2003 MCSE 2003 Server MCTS MCITP Exchange 2007, 2010 Gurgaon, India http://blogs.msexchange-experts.com

• Is Weblogic 11g supports for Kerberos AES/RC4 Encryption on Windows 2008 R2

  Is Weblogic 11g supports for Kerberos AES/RC4 Encryption on Windows 2008 R2?
  Thanks,

  DES is disabled by default on 2008, could this DC be a Windows 2003?  If so then this would be the expected encyption.
  The following is the list of the encryption available for each Windows system
  Windows 2000,  XP,Windows Server 2003:     
  DES, RC4          
           Vista
  , Windows Server 2008:      DES, RC4,AES          
           Windows 7 and  Windows Server  2008 R2:     DES(disabled by default), RC4,AES
  From:
  http://blogs.msdn.com/b/openspecification/archive/2010/11/17/encryption-type-selection-in-kerberos-exchanges.aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Network Security - Need a recommendation

  Hi there!
  I'm currently running a wireless network in my apartment that is passworded on a regular bare bones LinkSys router. Currently I have both my PC desktop and my MBPro on this network. Both are running just fine.
  What I am concerned about is people in the apartment complex using my network. I know I could bump up the security on my router but what I really want is a program that lets me A) see the IP's of people connecting to my network, if any, and B) single them out and block them. I have no idea whether such a program exists for Leopard. I'm actually fairly computer-savvy, but network security is a new arena for me.
  I'm just wondering if anyone could recommend a program to use that is only moderately complex. Also, I'm willing to pay money, but free is always better. Or any other information would be great, e.g. if the MBP already has the propensity for this type of activity on its own. I know it does a great many things .
  Thanks for any help!
  Message was edited by: demosthenes_

  demosthenes_ wrote:
  A) see the IP's of people connecting to my network, if any
  Your router should provide this via the web based administration interface.
  B) single them out and block them
  In stead of monitoring the router for rogue connections, you could setup your Linksys router to perform MAC address filtering. MAC Address filtering involves setting up a whitelist of MAC addresses that can connect to the router and any MAC address that isn't in the list you can explicitly deny access.
  What you would need to do is to add the MAC address for each device you have that you want to connect to the network.
  To be honest though, if you're at all concerned about the security of your data, http traffic, if you do any online banking, shopping etc you should really enable the encryption features of your router. With the way you have things setup at the moment, even with MAC Address filtering enabled your wireless connection can still be snooped on which means your passwords, account numbers etc are potentially travelling in the clear over the airwaves.
  Personally I would just configure the router to use the highest encryption level that all your computers can support and secure the Wireless network with a 10+ digit authentication key (utilising alphanumeric, punctuation and number characters). Doing this will ensure that your network is secure and minimise the risk of someone getting hold of any sensitive data.

• Encryption Type in Microsoft Excel 2013 (XLS file)

  Hello,
  I am creating a password protected file of format Excel 97-2003 Workbook (.xls) using Microsoft Office 2013.
  I have written a java program to read password protected excel file using POI API. I am able to read .xlsx file using this API, but I am not able to read .xls file. It throw error : org.apache.poi.hssf.record.RecordFormatException: Unknown encryption
  info 4
  Using same java code I am able to read .xls file if I use Microsoft Office 2010 to create this file. 
  As per POI API documentation:
  Apache POI contains support for reading few variants of encrypted office files:
  XLS - RC4 Encryption
  XML-based formats (XLSX, DOCX and etc) - AES and Agile Encryption
  I think in Microsoft Office 2013, encryption type has been change for XLS file. So I want to know that how can I solve this issue. Also please let me know how to configure Encryption Type in Microsoft Excel 2013 Excel file.
  OS is Windows 8(64-bit).
  Thanks
  Vishal

  Hi,
  Please see the article and check if it is helpful:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=35897
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  This is the forum to discuss questions and feedback for Microsoft Excel, the issue is more related to Office/Java develop, I recommend you connect the POI provide to get more help.
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
  George Zhao
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.