Nice explanation of iTunes U authentication

I was having problems understanding how the above works, and Richard Wolf, who is assisting us in getting our site up and running, e-mailed me the following explanation, he agreed to let me post it.
I hope it helps others that may be stuck...it's in two parts, here it is:
iTunes U credentials are in the form of MACE URNs united to a "role". More on roles in a bit ...
Formally speaking, a URN is a URI and similar to a URL (a URL is also a URI). The main difference between a URN and a URL is that a URN "names" something within the web whereas a "URL" locates it. But the distinction that used to exist between a URL and URN is now a lot fuzzier than it once was. After all, URLs often do "name" things today ... and URNs often do contain the notion of "location" within them. But, for simplicity, think of a URN as a fancy way to "name something" on the web without necessarily locating it anywhere in particular. For example, you could have "color:red" ... or "suit:spades" ... these "names" wouldn't exist at any website ... they'd just be a common way of naming "things" within the web.
Technically speaking, a URN does not have to start with "urn" just as a URL does not have to start "url" ... a URN could start out like this: "isbn:" or "color:" just as a URL can start out "http:" or "ftp:". However, it's common to start out URNs with "urn:" ... that way, there's no confusion. After the "urn:" part, URNs follow the same rules for construction as any URI would. There's a whole RFC devoted to URI and URN formation.
MACE is the "middleware for education" initiative and is part of the Internet2 project. MACE has formally claimed a subset of the URN namespace. Again, there is an formal RFC that explains/refines MACE's URN subset rules. Apple, in turn, has claimed a subset of the MACE URN namespace ... specifically for use with iTunes U.
So you basically have this:
All possible URNs ---contains---> all MACE URNs ---contains---> all iTunes U URNs
This "containment" is shown in the form of every iTunes U credential. They all start out this way:
urn:mace:itunesu.com
In order to distinguish things you name at Connecticut College from staff I name at UIC, Apple adds a site subset to each URN:
urn:mace:itunesu.com:sites:conncoll.edu
urn:mace:itunesu.com:sites:uic.edu
Basically speaking, the powers that be outside Apple own this part of all iTunes U URNs:
urn:mace:itunesu.com
And Apple owns this part:
sites:conncoll.edu
sites:uic.edu
We own everything that goes after.
This "ownership" prevents any of us from naming things in such a way that we create any namespace conflicts. Anything after our site name is stuff that we ourselves own ... we can name things however we want (so long as we don't introduce any local namespace conflicts). What you do with your part of the URN namespace is only limited by your imagination.
So you could create URNs that look like this:
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101:section-2
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101:section-2:seat- 24
"In theory" you do not need the "urn:mace:itunesu.com:sites:conncoll.edu" part of the URN ... but if you omit it, you run the risk of a namespace conflict with some other site.
Also, as I'm sure you've noticed by now, the parts of the URN are separated by colons.
Okay, now onto roles ...
In iTunes U, a "credential" is the sum of a "role" and a "context". The context is given by the URN and the "role" is what a user of iTunes U assumes within that context. So you could have:
Instructor@urn:mace:itunesu.com:sites:conncoll.edu
-- an "instructor" within "Connecticut College"
Student@urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101
-- a "student" within "English 101 at Connecticut College"
Dean@urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts
-- the "dean" of "Liberal Arts at Connecticut College"
Again, "roles' are anything you can imagine. Apple does predefine some roles though ... there is the "Administrator" role, the "All" role, the "Authenticated" role, and the "Unauthenticated" role. Other than those roles, you can have whatever other roles you like. Roles are what makes sense to you and how you want Connecticut College's iTunes U access to work.
A "permission" in iTunes U is the sume of a credential plus an access level. Access levels are only defined by Apple. The three most commonly used access levels are "NO ACCESS", "DOWNLOAD", and "EDIT". When you give an access level to a credential, you are saying that someone holding that credential has that access (usually within the context described within the credential). For example, if you give Instructor@urn:mace:itunesu.com:sites:conncoll.edu "EDIT" access within a specific course, then any person holding the that credential will be able to edit the course.
So, in summary, we've got this:
An iTunes U Permission = Credential + Access Level
Credential = Role + Context
A "Context" in iTunes U is given in the form of a MACE URN
A "MACE URN" is basically a name you want to assign some entity (a class, college, etc) at your school.

Ok, here is Richard's Part Two:
When Apple deals with users of iTunes U, they have, effectively, no idea who the user making a particular request actually "is". All user interactions with iTunes U, even administrator accesses, are just "sessions" to Apple ... they're just connections ... there is no specific "user" involved. So how does Apple know how to restrict access for the user who initiates one session from another user who initiates a different session?
Well, every iTunes U session carries with it a set of credentials. A credential is like a high-school hall pass ... it doesn't say who the person bearing it actually "is" ... but it does say what "role" the person bearing it "has" ("AV tech" or "student aide" or "sick person") and in which context the bearer's hall pass is valid ("the projection room in the auditorium" or "the librarian's office" or "the nurse's office"). A high school student might carry multiple passes at the very same time ... each would be valid within a specific context ... which pass is used depends upon the context. So the "library" pass would be used when the student wants to assume the role of "student aide" in "the librarian's office".
This system of high school hall passes ... well ... it utterly depends upon a trusted party to issue the passes in the first place. For example, only a trusted teacher who actually "knows" a student can issue him/her the "student aide" pass the visit the "library". The librarian might not know a particular student ... but if the librarian knows that a trusted teacher issued that student a properly-formatted hall pass, he/she should let the student in with all the privileges that such a pass allows the student to have within the context of the library.
This is EXACTLY how iTunes U crednetialling works. You are like a trusted teacher that "knows" your students and that issues them iTunes U credentials. In fact, that is precisely the role o the iTunes U portal website ... it takes users and maps them onto a set of credentials. Apple then uses those credentials to create an iTunes U session for the user, granting him/her any rights associated with those credentials. The credentials that you use are entirely up to you ... Apple simply honors them. Since every site is different -- has different rules/roles -- the credentialling one site might setup could be utterly different from another's. That is why the Admin Guide is so very vague about the iTunes U portal website ... it describes "in general" what you need to do, but leaves the specifics up to you. Apple simply cannot know the way in which you might like to map users to credentials.
When chatted about the kind of setup you wanted for Connecticut College, you said that you wanted to create four basic roles ... "student", "faculty", "manager", and "sysop". Those seemed like reasonable roles, so they were mapped this way:
student --maps-to--> Student@urn:mace:itunesu.com:sites:conncoll.edu
faculty --maps-to--> Faculty@urn:mace:itunesu.com:sites:conncoll.edu
manager --maps-to--> Manager@urn:mace:itunesu.com:sites:conncoll.edu
sysop --maps-to--> Administrator@urn:mace:itunesu.com:sites:conncoll.edu
The only guy I really altered here is "sysop" ... since Apple predefines the "Administrator" role, I assumed you probably wanted to map "sysop" to it.
But notice that the context in each of the defined credentials for Connecticut College (the MACE URN part) is no more specific than your entire site ... there is no way I could make it more specific because I do know what students will be in what classes. Based upon the groups you defined on your portal, I can determine if a user is "in" a group ... and once I know that a user is a part of a group, I can assign a corresponding credential. Since an iTunes U session is not limited to just one credential, the portal checks whether a user is in any of the four groups and adds a corresponding credential if he/she is. For example, I put myself in each of your four groups ... so if I login to your iTunes U site, I'll have a session with all four credentials ... I'll assume all four roles. Take me out of a group, and the next time I login to your portal, I won't have the corresponding credential.

Similar Messages

PHP iTunes U authentication issue

I’ve been working with integrating iTunes U with Moodle. On the Moodle site there is an iTunes U block available for integrating the 2 systems. I’ve been trying to use this and I am able to get to the iTunes U site from Moodle, but I am not being signed into the site as an authenticated user. I can’t seem to figure out why. I was however able to authenticate with a Perl script.
The Moodle block has a Setting section where I fill in all my site specific information such as the Shared Secret. This is definitely working fine as I am able to get to my site without issue. But, the passing of the credentials and identity do not seem to be working because I am not being signed in as an authenticated user.
Right now my Credentials are very basic – formatted just like the sample ones – such as:
Adminstrator@urn:mace:itunesu.com:sites:example.edu (where example.edu is my school’s name).
Can anyone review the files below and shed some light on why I am not getting authenticated?
Thanks.
Itunes_redirect.php
<?php // $Id: itunesu_redirect.php,v 1.1 2008/06/06 19:08:49 mchurch Exp $
require_once('../../config.php');
global $USER, $CFG;
require_once($CFG->dirroot.'/lib/weblib.php');
require_once($CFG->dirroot.'/lib/moodlelib.php');
require_once($CFG->dirroot.'/blocks/itunesu/itunes.php');
if (!isloggedin()) {
print_error('sessionerroruser', '' , $CFG->wwwroot);
$destination = required_param('destination', SITEID, PARAM_INT); // iTunes U destination
$name = fullname($USER);
/* Create instance of the itunes class and initalized instance variables */
$itunes = new itunes();
$itunes->setUser($name, $USER->email, $USER->username, $USER->id);
/* more work needs to be done with determining credentials */
$itunes->setAdminCredential($CFG->blockitunesuadmincred);
$itunes->setInstructorCredential($CFG->blockitunesuinsturctcred);
$itunes->addAdminCredentials();
$itunes->setSiteURL($CFG->blockitunesuurl);
$itunes->setSharedSecret($CFG->blockitunesusharedsecret);
$itunes->setDestination($destination);
$itunes->invokeAction();
?>
Itunes.php file:
<?php
# iTunes Authentication Class
# Written by Aaron Axelsen - [email protected]
# University of Wisconsin - Whitewater
# Edited by Ryan Pharis, [email protected] - Texas Tech University
# Class based on the Apple provided ITunesU.pl
# example script.
# REQUIREMENTS:
# PHP:
# - tested with PHP 5.2
# - make sure hash_hmac() works - <a class="jive-link-external-small" href="http://us2.php.net/manual/en/function.hash-hmac.php">http://us2.php.net/m anual/en/function.hash-hmac.php</a>
# - php curl support
#Example Usage:
<?php
include('itunes.php');
$itunes = new itunes();
// show loading screen while processing request
//include(ROOTURL.'/includes/pages/itunesload.php');
// Set User
$itunes->setUser("Jane Doe", "[email protected]", "jdoe", "42");
// Set Admin Permissions
$itunes->addAdminCredentials();
// Set Instructor Permission
//$itunes->addInstructorCredential('uniquename_fromitunes');
// Set Student Credential
//$itunes->addStudentCredential('uniquename_fromitunes');
// Set Handle
// This will direct login to the specific page
#$itunes->setHandle('');
// iTunes U Auth Debugging
$itunes->setDebug(true);
$itunes->invokeAction();
?>
class itunes {
// Oktech - add
var $authtoken;
var $siteURL;
var $debugSuffix;
var $sharedSecret;
var $administratorCredential;
var $instructorCredential;
var $studentCredential;
var $urlonly;
var $urlcredentials;
var $destination;
// Oktech
* Create iTunes Object
public function __construct() {
$this->setDebug(false);
$this->siteURL = 'https://deimos.apple.com/WebObjects/Core.woa/Browse/example.edu';
$this->directSiteURL = 'https://www.example.edu/cgi-bin/itunesu';
$this->debugSuffix = '/abc1234';
$this->sharedSecret = 'STRINGOFTHIRTYTWOLETTERSORDIGITS';
$this->administratorCredential = 'Administrator@urn:mace:itunesu.com:sites:example.edu';
$this->studentCredential = 'Student@urn:mace:itunesu.com:sites:example.edu';
$this->instructorCredential = 'Instructor@urn:mace:itunesu.com:sites:example.edu';
$this->credentials = array();
// Set domain
$this->setDomain();
// Oktech add
public function getInstructorCredential() {
return $this->instructorCredential;
public function setInstructorCredential($credential) {
$this->instructorCredential = $credential;
public function getStudentCredential() {
return $this->studentCredential;
public function setStudentCredential($credential) {
$this->studentCredential = $credential;
public function getAdminCredential() {
return $this->administratorCredential;
public function setAdminCredential($credential) {
$this->administratorCredential = $credential;
public function getSharedSecret() {
return $this->sharedSecret;
public function setSharedSecret($sharedsecret) {
$this->sharedSecret = $sharedsecret;
public function getAuthToken() {
return $this->authtoken;
public function setAuthToken($authtoken) {
$this->authtoken = $authtoken;
public function getDebugSuffix() {
return $this->directSiteURL;
public function setDebugSuffix($debugsuffix) {
$this->directSiteURL = $debugsuffix;
public function getSiteURL() {
return $this->siteURL;
public function setSiteURL($siteurl) {
$this->siteURL = $siteurl;
* Extract the URL from the return html
* block from the iTunes U server. Replace
* Apple's itmss tag with https
private function extractURL($htmlblock) {
$remainder = '';
$pos = 0;
$result = '';
$remainder = strstr($htmlblock, "_open('i");
$remainder = substr_replace($remainder, '', 0, 7);
$remainder = substr_replace($remainder, 'https', 0, 5);
$pos = strpos($remainder, "');");
$result = substr_replace($remainder, '', $pos);
$this->urlonly = $result;
public function getExtractedURL() {
return $this->urlonly;
* Extract the credentials part from the returned URL from
* the iTunes U server
public function extractURLCredentials($url) {
$result = '';
$pos = 0;
$remainder = strstr($url, "gtcc.edu?");
$remainder = substr_replace($remainder, '', 0, 9);
$this->urlcredentials = $remainder;
public function getExtractedURLCredentials() {
return $this->urlcredentials;
public function setDestination($destination) {
$this->destination = $destination;
public function getDestination() {
return $this->destination;
// Oktech add
* Add's admin credentials for a given user
public function addAdminCredentials() {
$this->addCredentials($this->administratorCredential);
* Add Student Credential for a given course
public function addStudentCredential($unique) {
$this->addCredentials($this->studentCredential.":$unique");
* Add Instructor Credential for a given course
public function addInstructorCredential($unique) {
$this->addCredentials($this->instructorCredential.":$unique");
* Set User Information
public function setUser($name, $email, $netid, $userid) {
$this->name = $name;
$this->email = $email;
$this->netid = $netid;
$this->userid = $userid;
return true;
* Set the Domain
* Takes the siteURL and splits off the destination, hostname and action path.
private function setDomain() {
$tmpArray = split("/",$this->siteURL);
$this->siteDomain = $tmpArray[sizeof($tmpArray)-1];
$this->actionPath = preg_replace("/https:\/\/(.+?)\/.*/",'$1',$this->siteURL);
$pattern = "/https:\/\/".$this->actionPath."(.*)/";
$this->hostName = preg_replace($pattern,'$1',$this->siteURL);
$this->destination = $this->siteDomain;
return true;
* Set the Handle
* Takes the handle as input and forms the get upload url string
* This is needed for using the API to upload files directly to iTunes U
public function setHandle($handleIn) {
$this->handle = $handleIn;
$this->getUploadUrl = "http://deimos.apple.com/WebObjects/Core.woa/API/GetUploadURL/".$this->siteDoma in.'.'.$this->handle;
return true;
* Get Identity String
* Combine user identity information into an appropriately formatted string.
* take the arguments passed into the function copy them to variables
private function getIdentityString() {
# wrap the elements into the required delimiters.
return sprintf('"%s" <%s> (%s) [%s]', $this->name, $this->email, $this->netid, $this->userid);
* Add Credentials to Array
* Allows to push multiple credientials for a user onto the array
public function addCredentials($credentials) {
array_push($this->credentials,$credentials);
return true;
* Get Credentials String
* this is equivalent to join(';', @_); this function is present
* for consistency with the Java example.
* concatenates all the passed in credentials into a string
* with a semicolon delimiting the credentials in the string.
private function getCredentialsString() {
#make sure that at least one credential is passed in
if (sizeof($this->credentials) < 1)
return false;
return implode(";",$this->credentials);
private function getAuthorizationToken() {
# Create a buffer with which to generate the authorization token.
$buffer = "";
# create the POST Content and sign it
$buffer .= "credentials=" . urlencode($this->getCredentialsString());
$buffer .= "&identity=" . urlencode($this->identity);
$buffer .= "&time=" . urlencode(mktime());
# returns a signed message that is sent to the server
$signature = hash_hmac('SHA256', $buffer, $this->sharedSecret);
# append the signature to the POST content
return sprintf("%s&signature=%s", $buffer, $signature);
* Invoke Action
* Send a request to iTunes U and record the response.
* Net:HTTPS is used to get better control of the encoding of the POST data
* as HTTP::Request::Common does not encode parentheses and Java's URLEncoder
* does.
public function invokeAction() {
$this->identity = $this->getIdentityString();
$this->token = $this->getAuthorizationToken();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->generateURL() . '?' . $this->token);
//curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// Oktech - change
$this->authtoken = curl_exec($ch);
curl_close($ch);
/* Start a new sesstion and send a request for specific content with the appropriate credentials */
$ch = curl_init();
$this->extractURL($this->authtoken);
$this->extractURLCredentials($this->urlonly);
curl_setopt($ch, CURLOPT_URL, $this->siteURL . '.' . $this->destination . '?' . $this->urlcredentials);
//curl_setopt($ch, CURLOPT_POST, 1);
curl_exec($ch);
curl_close($ch);
// Oktech
* Auth and Upload File to iTunes U
* This method is said to not be as heavily tested by apple, so you may have
* unexpected results.
* $fileIn - full system path to the file you desire to upload
public function uploadFile($fileIn) {
$this->identity = $this->getIdentityString();
$this->token = $this->getAuthorizationToken();
// Escape the filename
$f = escapeshellcmd($fileIn);
// Contact Apple and Get the Upload URL
$upUrl = curl_init($this->getUploadUrl.'?'.$this->token);
curl_setopt($upUrl, CURLOPT_RETURNTRANSFER, true);
$uploadURL = curl_exec($upUrl);
$error = curl_error($upUrl);
$http_code = curl_getinfo($upUrl ,CURLINFOHTTPCODE);
curl_close($upUrl);
print $http_code;
print "
$uploadURL";
if ($error) {
print "
$error";
# Currently not working using php/curl functions. For now, we are just going to echo a system command .. see below
#// Push out the designated file to iTunes U
#// Build Post Fields
#$postfields = array("file" => "@$fileIn");
#$pushUrl = curl_init($uploadURL);
#curl_setopt($pushUrl, CURLOPT_FAILONERROR, 1);
#curl_setopt($pushUrl, CURLOPT_FOLLOWLOCATION, 1);// allow redirects
#curl_setopt($pushUrl, CURLOPT_VERBOSE, 1);
#curl_setopt($pushUrl, CURLOPT_RETURNTRANSFER, true);
#curl_setopt($pushUrl, CURLOPT_POST, true);
#curl_setopt($pushUrl, CURLOPT_POSTFILEDS, $postfields);
#$output = curl_exec($pushUrl);
#$error = curl_error($pushUrl);
#$http_code = curl_getinfo($pushUrl, CURLINFOHTTPCODE);
#curl_close($pushUrl);
#print "
#print $http_code;
#print "
$output";
#if ($error) {
# print "
$error";
// Set the php time limit higher so it doesnt time out.
settimelimit(1200);
// System command to initiate curl and upload the file. (Temp until I figure out the php curl commands to do it)
$command = "curl -S -F file=@$f $uploadURL";
echo "
echo $command;
exec($command, $result, $error);
if ($error) {
echo "I'm busted";
} else {
print_r($result);
echo $command;
* Set Debugging
* Enable/Disable debugging of iTunes U Authentication
public function setDebug($bool) {
if ($bool) {
$this->debug = true;
} else {
$this->debug = false;
return true;
* Generate Site URL
* Append debug suffix to end of url if debugging is enabled
private function generateURL() {
if ($this->debug) {
return $this->siteURL.$this->debugSuffix;
} elseif ($this->isHandleSet()) {
return $this->directSiteURL.'.'.$this->handle;
} else {
return $this->siteURL;
* Check to see if the handle is set
private function isHandleSet() {
if (isset($this->handle))
return true;
else
return false;
?>

Janet ... hmmm ... I suppose it could also be "Jane T. Smith" ... ah well, anywho,
One thing to understand when it comes to credentialling is that, even if your transfer CGI (Moodle block) doesn't work ... if you redirect someone to your iTunes U site, that person will -always- carry two credentials ... "Unauthenticated" and "All". You do not have to assign the credentials ... they are automatic.
Put it this way, if I direct you to my site:
https://deimos.apple.com/WebObjects/Core.woa/Browse/uic.edu
if you click on that link, authentication or no, Apple will give you the "Unauthenticated" and "All" credentials. Anywhere on my site where those creds are good, you'll have access.
Hmmm ... maybe I can rephrase it this way ... there are four credentials that are a part of every site ...
All ... everyone who accesses your site gets this cred ... everyone.
Authenticated ... if you pass a valid iTunes U URL request for a user, he/she will get this cred.
Unauthenticated ... this cred is given whenever someone gets to your site -without- a tokenized (credentials, identity, time, signature) URL request. For example, if someone uses your site base URL without any modification.
Administrator ... this cred has total access to a site.
So if you access your site using your admin cred, you'll actually carry three creds ... "Administrator" (of course), but also "All" and "Authenticated".
So why this long discussion of creds? Well, if you're getting in with the "Unauthenticated" credential, it's a sure sign your transfer CGI (Moodle thingy) isn't working ... at all. It's not that you can't pass the admin cred ... or identity info ... you're not passing any info. And because you're not passing any info, iTunes U does the default thing ... give you "All" and "Unauthenticated" access.

ITunes U Authentication Service

Hi,
During our deployment we've built a little ruby application that allows you to quickly and easily integrate existing authentication sources into your iTunes U infrastructure. We've packaged it up as a ruby gem so you can grab it and use it from here: http://iauthu.rubyforge.org/.
Feel free to use it and tinker as needed. If you have questions, suggestions or things you'd like added feel free to drop us a line.
--Ivan

Hi,
During our deployment we've built a little ruby application that allows you to quickly and easily integrate existing authentication sources into your iTunes U infrastructure. We've packaged it up as a ruby gem so you can grab it and use it from here: http://iauthu.rubyforge.org/.
Feel free to use it and tinker as needed. If you have questions, suggestions or things you'd like added feel free to drop us a line.
--Ivan

My iTune prompt authentication problem, always pop-up"http proxy server proxy:8080",

Hi All,
Now I using iTunes version 10.7.0.21, it is always prompt authentication, enter username and pasword. Have any method can reduce this status?
Thanks,
Yani

AFAIK, nothing, but the server probably doesn't allow getting it from the keychain. Contact the server admin and find out.

ITunes Proxy Authentication & iTunes Store can't connect

1) Stop Proxy Authentication Window
To solve the issue with the Proxy Authentication window coming up over and over please add the following to lines to your Proxy Configuration above the first DENY rule:
acl iTunes browser iTunes
http_access allow iTunes
2) Access Content in iTunes Store with Proxy
If you are having any issue with Content being displayed in the Store with Proxy, please follow the steps below:
In the Internet settings remove the tick next to "Autodetect" and "Proxy Server"
Launch iTunes and Connect to the Store (you should see no result when on Corporate network with Proxy)
in the Internet settings add the tick to "Autodetect" (or) 'Proxy Server" (set as you had before)
Launch iTunes and conenct to the Store, you should see content.
If you did above whilst on Corporate network with Proxy you will see badly rendered Content.
If you did above off Corporate network with no Proxy conencted to the Internet you will see the Store rendered correctly.
If you try this step once off the Corporate Network, the rendered content looks correct even when you connect to iTunes store via Proxy after the fact.

I have the same problem. The only firewall which I use is the wondoes firewall
Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
System manufacturer System Product Name
iTunes 7.5.0.20
CD-Treiber 2.0.6.1
CD-Treiber-DLL 2.0.6.2
Current user is an administrator.
Current date and time are 2007-12-27 21:25:50.
Info on the screen:
NVIDIA GeForce 7900 GS
** Network connectivity tests **
About Network Adapter
Adapter Name: (02E5BAB0-654B-4891-A2D6-D1EB7766ECA4)
Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
IP address: 192.168.0.4
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.1
DHCP enabled: Yes
DHCP server 192.168.0.1
Lease receive: Thu Dec 27 2007
Lease ends: Tue Jan 19 2038
DNS Server: 83,169,185,161
83,169,185,161
83,169,185,225
Active: LAN connection
Connected: Yes
With the Internet: Yes
Modem in use: No.
LAN in use: Yes
Proxy in use: No.
About Firewall
Windows firewall is activated.
ITunes is in Windows firewall enabled.
Connection with the Apple Web site has been successful.
Connection with the iTunes store had failed.
The network connection has been rejected.
Secure connection with the iTunes store had failed.
The network connection has been rejected.
The establishment of a secure connection to the iPhone activation server was successful.
I'm german so this is a translation with google, because I don't have time now, sorry

ITunes proxy authentication BUG

Hello there,
i´m starting the iTunes 10.7 under Windows 7.
iTunes 10.7 gets the proxy settings from the IE9. Now the iTunes wants an proxy authentication o.k. ... but in my case i must repeat the loggin 5 TIMES.
Remember my Passwort ... dont work....
Anyone else have the same Problem?
Does anyone know iTunes 11 fix the proxy authentication BUG ???
How can i solve this problem ?

I have this issue, but at least 10.7 gives you the option to put in your authentication details.
iTunes 11 does not have proxy authentication at this point in time so do not upgrade if you require this.
I have upgraded to version 11 and now can't access the iTunes store.

ITunes proxy authentication

How to use itunes through a proxy server with transparent authentication with Microsoft AD? Itunes constantly asks for a password, and if you specify to save the password after password change attempts to authenticate the user under the old password does not work and has not deleted the file keychain.plist? How can I fix this?

I have this issue, but at least 10.7 gives you the option to put in your authentication details.
iTunes 11 does not have proxy authentication at this point in time so do not upgrade if you require this.
I have upgraded to version 11 and now can't access the iTunes store.

Email from itunes is authentic?

I'm getting authentic looking emails from apple support telling me to change my password by clicking below. Oddly its from apple UK which I've never dealt with. How does one know if its authentic or not?

How does one know if its authentic or not?
It sounds like you already know that it is not authentic, and you are correct!
Just delete the email. If you want more information, see these 2 documents:
"Identifying fraudulent "phishing" email"
http://support.apple.com/kb/HT4933
"Identifying legitimate emails from the iTunes Store"
http://support.apple.com/kb/HT2075

Nice "feature" for iTunes match in IOS6 - not!

So, under IOS6, there's no indication in iTunes of whether a track is held locally on the device or in iTunes Match. That's a pain in the *** on its own but there's more.
It's not possible to download a track from within the "Songs" view. This can only be done in the Album or Artist view. I tend to scroll through the Songs view looking for tracks to liste t or copy to my iPhone before I get on a plane or go somewhere there isn't a data connection. So when I find a song I want I hae to locate the album it belongs to and download from there, then go back to the Songs view and back and forth, back and forth...
Dumb oversight that could have been easily avoided, especially as it was something that was possible undr IOS5
I guess Apple assume everyone is always connected to high speed data everywhere, including on a plane or on the underground.

Hey thank you for your response... i did realize later that the do not disturb was turned on. i thought you had to turn it on to have it on at night. didn't know that it ment for immediate use. But i got it figured out...
As for itunes match. I did a little more research. Its actually designed that way so you can't delete any song unless... you turn off itunes match in setting then you can delete songs. Its sort of a fail safe so you dont delete songs by accident. So its not that bad. ios6 is designed to delete songs automaticly if space is needed on your phone. it will delete songs that have less play. hope that helps you guys.

ITunes U Private - Authentication

We are looking for a iTunes U Authentication script that works with Moodle 2. Unfortunitly the old Moodle Block for iTunes U Authentication is not compatable with Moodle 2. (http://moodle.org/mod/data/view.php?d=13&rid=1582) Does anyone have any ideas.
Alternatively a iTunes U Authentication script that works with Lion Server Wikis would also be great.
Thanks for any help

The below in BOLD is what I am trying to do, but do not have an option to do. Is this something Apple must give me a role or permission to do? I am already and Administrator.. Thanks in advance!
To add content to your site you must create collections containing the course content, series information, or items you want to share with your users.
To add a collection:
Click Collections at the top of iTunes U Public Site Manager.
Click the Add button.
Choose one of the following from the pop-up menu:iTunes U Public Site Manager adds the new collection to the collections manager page.
Provider-Hosted Feed. Choose Provider-Hosted Feed to add a new collection from a feed URL hosted on your servers, type the feed URL, and then click Add. For example, http://www.example.com/rss/provider-hosted-collection.rss.
Apple-Hosted Feed. Choose Apple-Hosted Feed, if available, to add and edit a new collection from a new RSS feed hosted on Apple's servers, click Add, and then use the feed editor to add channel and item details and upload content.
Copy from Original iTunes U Site. Choose “Copy from Original iTunes U Site” to add a new collection by copying a group from your original iTunes U site, type the group URL, and then click Add. To copy a group from your original iTunes U site, navigate to the group, Control-click the group's tab, choose Copy Link, and then paste the link in the Group URL field.You must be an administrator to use "Copy from Original iTunes U Site". You cannot use "Copy from Original iTunes U Site" to add a feed course from your original iTunes U site.Once you publish your site, you can no longer use "Copy from Original iTunes U Site" to add a collection in iTunes U Public Site Manager.
If you add, remove, or hide a collection or update an iTunes U Public Site Manager page, you must publish your site for the changes to appear in iTunes U in the iTunes Store. Publishing changes can take up to 24 hours to appear in the iTunes Store.

How can I verify that iTunes charges are authentic?

How can we verify that charges from iTunes are authentic when there is no record of them otherwise?

If you purchased something, the charges are authentic.
If you did not purchase anything, the charges are not yours.
Contact Apple support and contact your credit card company.

Resources needed to integrate iTunes U with existing authentication?

I have been reading the on-line and PDF iTunes U Admin guide for a few days now.
I think I can handle most administration issues, but not how to integrate iTunes U with our existing authentication system, described here http://bit.ly/7oAzpp
I believe ours is LDAP based.
Not sure other staff have the time to do it. We may have some CS students that might be able to tackle it.
As an alternative, are there outside services that might specialize in this?
Any rough amount of hours or cost?
I am looking at options, and welcome any feedback.

Frank, in answer to your questions…
Frank Fulchiero wrote:
1. What technologies does one have to be familiar with to write up iTunes U authentication with existing authentication systems? In the sample download, there are files in C, Java, Perl and Python. Do you need to know all of these, in addition to HTML?
You do not need to know any particular language…Apple's examples are just starting places. Each of those code samples does exactly the same thing, just in a different language. In addition to the samples that Apple provides, others have written similar code samples in languages like C#, VB.Net, and Ruby. "In principle", you could use a language not yet explored by others (say Erlang or Haskell or whatever)…but you would need to do pretty much what the other code samples do.
If I had to give a rough summary of what you would need to know to implement an iTunes U portal, it'd run like this:
1. You need to be able to setup a web server. It can be any sort of server with which you are most comfortable…IIS in Windows, Apache running on Linux, or OS X Server's web server (which is also Apache)…or even something else.
2. You need to know how to get CGI running on your chosen web server. The actual CGI code can be in any language you like (Apple's samples are in Perl, C, Python, etc., as you pointed out). But you need to know how to get CGI code installed and working on your web server. In addition, you need to know just enough about how the code works to adapt it to suit your specific institution.
3. You need to know just enough about how authentication works at your site to access it in code. "Usually" this is fairly straightforward…but Apple's code samples do not show how to do this—they can't because every institution handles authentication differently…some use LDAP, others Active Directory, some use Banner…others use things like eDirectory—each of these packages gives you a way to determine with a login or bind is going to work.
Frank Fulchiero wrote:
2. We are considering pilots with only a few faculty and 50-100 students. I am wondering if it would be any easier, in order to get started, to use OSX Server 10.6' Users and Groups and Open Directory for authentication, instead of our college's AD, and just manually enter the users. Due to security concerns, our network admins might find this more acceptable.
Certainly that would work. One of the nifty things about iTunes U is that you're not married to any solution you implement…you can always change/grow into something different later.

Integrating iTunes U with Authentication at Lafayette College

A couple of folks have asked how we got iTunes U authentication working at Lafayette. Here's a quick run down of how we did it; if you have any questions about the specifics feel free to e-mail me at [email protected].
The quest for authentication started with reading Chapters 1 and 2 of the iTunes U documentation and downloading the sample connection scripts. This yielded a few observations: 1) we could use our department's preferred programming language, Perl, to build the authentication process 2) Apple designed iTunes U's user/roles framework on the assumptions that folks would use the eduCourse specification and that the college's campus authentication system would include role and course information.
Our campus LDAP does not store course information and has limited information about roles. Because of this, we decided to implement a two-part authentication -- first we'd authenticate against our campus LDAP directory, then we would check the user against eduCourse-based role and course information stored in a small MySQL database. With this information in hand, the Perl script then builds the connection script with all of the role/user/unique identifier information.
We are looking at extending campus LDAP to include the needed information, but in the short term this allows us to manage access to iTunes U.
The biggest headache we encountered in setting up the authenication process involved time. After many trials and too many errors, we determined that our web server's clock was out of sync with Apple's by 110 seconds. Since we only had 90 seconds to authenticate, that meant that the handshake couldn't be concluded. We solved the problem by making sure our server's clock is updated hourly against an NTP time server.
The Process
1. A private/public login page was created on our secondary web server, ww2.lafayette.edu. This login page accepts the user's Network ID and password and passes those values on to a Perl script. It also includes a "public link" that goes to the same Perl script
2. The Perl script checks to see if the Network ID and password.
3. If the Network ID and password are given, the credentials are checked against the campus LDAP server using Perl's LDAP functions. If the user authenticates, then a query is run against a MySQL database to determine what access that user should be granted based on roles (Instructor, Learner, Administrator) and courses (a list of unique identifiers for courses) based on the eduCourse specification.
4. If the public link is clicked, then the user is connected directly to iTunes U with no credentials, which lands them on the public welcome page.
Useful Resources
* Flowchart of Lafayette College's iTunes U Authentication Scheme:
http://ww2.lafayette.edu/~its/downloads/pdfs/public/LafayetteItunesAuth.pdf
* LDAP representations of eduCourse attributes and an auxiliary object class
http://middleware.internet2.edu/courseid/docs/internet2-mace-dir-courseid-educou rse-ldap-200507.html
* eduCourse Data Model
http://middleware.internet2.edu/courseid/docs/internet2-mace-dir-courseID-eduCou rse-200507.html
I hope this helps -- good luck with your configuration!

to quote Gaff from Blade Runner " You've done a man's job , sir"
Great work Ken your team has paved the way for us.

Free Java Authentication/Administration Tools

Hi all,
I thought it might be helpful to some of you if I shared my source code for iTunes U authentication. I also have included in the webapp a basic set of admin utilities with a showTree feature. The fun part of the showTree features is that I have written a digester that instantiates java objects of the xml nodes, so you can extend it to do any number of things (please honor the license agreement though!-)
There is a README.rtf that has the webapp instructions.
You can download the war file and all source from here:
http://uonline.utah.edu/temp/iTunesuFreeTools.jar
Hope this finds its way into "usefulness" somewhere. Enjoy!

I've just installed this. (I had to also modify server.xml to include context before connection pooling would work. See below.)
Yeah, I am using virtual hosting, so your experience may differ. Thanks for the solution post!
I'm trying to get a better understanding of how I can use the framework to allow visitors to download content. Any help or documentation would be great..
You can use the [email protected]:itunesu.com:sites:yourschool.edu permission to allow unauthenticated users to download and stream content, of course, or you can publish a visitor login and password. There are 3 visitor profiles already listed in the visitor table; to download, edit, and shared. You can add the permissions to objects like this:
[email protected]:itunesu.com:sites:yourschool.edu with download access level.
[email protected]:itunesu.com:sites:yourschool.edu with edit access level.
[email protected]:itunesu.com:sites:yourschool.edu with shared access level.
So, to clarify, any_uid, when authenticated from the within the visitor table will be given the [email protected]:itunesu.com:sites:yourschool.edu credential. I added this for our staff that want to give seminars to professors where they can work on private test courses. But, you can use it for anything you choose. I also added the nonkdcauth table for the soul purpose of sharing the app with others. We use Kerberose to authenticate, and ldap to pull course credentials. Any uid listed in the nonkdcauth table will be given the [email protected]:itunesu.com:sites:yourschool.edu credential.
The credentials are built in the edu.utah.uonline.ViewBean. Refer to the source for adding or understanding the features. Sorry, not very well commented, but hopefully not too obscure.
Also, I'm a little confused on how to get this working with LDAP. I know our LDAP server and I know that we use 'cn' instead of 'uid'. I also know that we can traverse everything below our 'o=trinity'. Not sure how to fill out the resource file to make it work.
The hardest thing for me when I started writing java code to do lookups against LDAP was the connection stuff. This code can be found in the edu.utah.uonline.ViewBean as well (starting in line 156, initProperties(boolean useLDAP)). Each ldap server can be set up differently so you will need to know your structure to implement it. This code will also have to be changed to reflect your specific filter information (line 169 of same source file).
Just another couple thoughts about kdc and ldap. I originally added these features, like storing uids and passwords in tables to build our credentials so that I could publish the webapp for those who did not use KDC or LDAP. Hence, useKDC and useLDAP from the properties file was an after thought. If you choose to try to implement these features at your school, make sure you also check you kdc connection specific properties in the Resources.properties file and then change useKDC and useLDAP to "true" (also found in the Resources.properties file) and then check all connection and filtering code in both edu.utah.uonline.ViewBean and edu.utah.uonline.Login.
Nice work. I've been frustrated with this custom integration since we signed on to iTunes. Now I see light at the end of the tunnel.
Glad to help!

Shared iTunes account? pros vs cons

Should my spouse & I share the same itunes account? I've been set up with itunes for years & he just started using an iphone recently. What are the pros & cons of sharing the same itunes account? Thanks!

epfegn wrote:
Nice explanation! So let me test my understanding here using your system as an example. You say you sync photos and stream everything else. Does this mean that you have set ATV to "Custom sync" only photos and then check box to stream everything else?
Yes, more or less.
I do have some content that I don't want on my tv (ie, ipod versions of movies that I already have as tv versions) which I uncheck so they don't stream.
Also, if I wanted to switch completetly to "stream" from a primary libray do I first go into "Computers" tab on ATV and "cancel" the sync and then go into the "share" menu and enter that password instead into my iTunes account?
No, that would change it to a secondary library which although would stream everything for you would also lose you some functionality. To stream everything (except for photos that is) from a primary library go to your sync options and deselect the sync checkboxes in each category.
I know for sync, it took like 4 hours to put in 8000+ songs. Will it take this long for "stream" configuration?
When a primary library is linked to the tv there are two sets of data that are copied to the tv; The content itself and a library database file. The database file is relatively small (mine is around 20 MB) and is updated regularly which takes (for me) around 20 seconds. The content is much larger and can take a significant amount of time to copy (of course you only need to do it all once), if you sync nothing from your primary library then it won't take any time at all.

Nice explanation of iTunes U authentication

Similar Messages

Maybe you are looking for