OAM11g- WNA question

Similar Messages

• OAM11g-WNA and OVD

  Hello, I'm trying to test out OAM11g/WNA (Windows Native Authentication without IIS). I have OVD configured as primary Identity Store which is virtualizing against 4 AD domains. Most of the documents/blogs around this topic points to creating AD identity store with associated Kerberos configurations in OAM. Can I get the Kerberos authentication pass through OVD and avoid creating AD identity store. Though OAM 11.1.1.5 support multiple identity store, since I have 4 domains, keeping separate krb5.conf and combining SPN file seems to be get complicated. Has anyone tried this? Please share your thoughts.
  Thanks,
  Sunil.

  Hi
  I have configured multiple Authn schemes with unique kd5 and keytab files for 2 domains (I'm assuming it will scale to n domains) without issue, it works fine assuming you have multiple policies using their own scheme. I'm now trying to work out if I can use a single policy and single custom Authn module to determine the source domain and user the appropriate kd5/keytab files. Any ideas?
  Thanks
  Roman

• AD-OID and  WNA Question

  Two questions:
  Is it necessary to configure AD-OID integration to use Windows Native Authentication?
  Can I populate OID with my Active Directory users once and still use WNA?
  Thanks,
  Jim

  Update to my original post:
  After successfully configuring AD-OID synchronization and WNA on a Win2003 Server (and opening multiple SRs in the process), I learned that it IS possible to bootstrap the users once from AD into OID.
  Bootstrapping is required to import the users' krb5principalname and orclsamaccount attributes into OID, which are used by the SSO server to authenticate their kerberos tickets.
  Synchronization between AD-OID is not required for WNA to work, but it helps if you expect to add new users from AD into OID.
  HTH,
  Jim

• AD OID mapping rule questions

  Hi,
  Can someone please tell me how to map the first and last names from AD to OID in the mapping file. Currently I have the following and wanted to make sure if it's correct:
  sn,SAMAccountName: : :person:sn: :person:sn|SAMAccountName
  givenName: : :person:givenName: :person
  # Map the userprincipalname to the nickname attr by default
  #userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
  # Map the SamAccountName to the nickname attr if required
  # If this rule is enabled, userprincipalname rule needs to be disabled
  sAMAccountName: : :user:uid: :inetorgperson:sAMAccountName
  The other question I have is why we need to disable userprincipalname rule when the following is enabled. As I am also trying to enable WNA/SSO too, what other rules I need for that in my mapping file.
  sAMAccountName: : :user:uid: :inetorgperson:sAMAccountName
  Thanks

  I have these first two rules here and they seem to be working fine. But I think you will have trouble with the third one with WNA authentication.
  About the two last rules for uid, the reason you can only have onle one of these is that both are storing a value on the uid attribute. You need to choose wether you want to use the samaccountname or the userprincipalname on it.
  I remember seeing somewhere that for WNA authentication to work the uid should be in the format [email protected], so you would need to map userprincipalname to uid instead of samaccountname, I am not absolutely sure about this since I have never setup WNA.
  And also you would need to populate the krbprincipalname. I think this one is automatically copied to the orclsamaccountname attribute, which is required. I have a rule like this here:
  userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,'@'))
  There are some walktroughs on Oracle By Examples that I found very usefull. This one is for WNA:
  http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
  Regards,
  Luis

• [Urgent] Some questions about OID/OSSO 10g - 11g upgrade

  Dear all,
  We are under doing upgrading assessment of OID/OSSO 10g to 11g for a customer. After reviewed the 'upgrading guide', we still have some questions as below:
  1.     Whether the ‘10g DIP profiles’ will be still available after the OID 11g upgrade? Currently there are some sync of AD<->OID and DB->OID.
  2.     Whether the ‘WNA’ function will still work after the upgrade?
  3.     Is there a big change of OID API from 10g to 11g? If so, I think a big effort maybe on application modification.
  4.     I found that there is a OAM Basic version for OSSO 10g upgrade. So if this OAM Basic will migrate the OSSO configuration (like external application) automatically, or it must be re-configed after the upgrade?
  5.     Currently customer config OID 10g as BPEL/ESB’s identity store. So does BPEL/ESB 10g is certificated with OID 11g also? I didn’t find the certification so far.
  Thank you in advance and any comment are welcome.

  Dear all,
  We are under doing upgrading assessment of OID/OSSO 10g to 11g for a customer. After reviewed the 'upgrading guide', we still have some questions as below:
  1.     Whether the ‘10g DIP profiles’ will be still available after the OID 11g upgrade? Currently there are some sync of AD<->OID and DB->OID.
  2.     Whether the ‘WNA’ function will still work after the upgrade?
  3.     Is there a big change of OID API from 10g to 11g? If so, I think a big effort maybe on application modification.
  4.     I found that there is a OAM Basic version for OSSO 10g upgrade. So if this OAM Basic will migrate the OSSO configuration (like external application) automatically, or it must be re-configed after the upgrade?
  5.     Currently customer config OID 10g as BPEL/ESB’s identity store. So does BPEL/ESB 10g is certificated with OID 11g also? I didn’t find the certification so far.
  Thank you in advance and any comment are welcome.

• Feedback needed on WNA

  Hi I am trying to enable WNA and have some questions as I went over the document http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm
  1. Is SSO Server Oracle App. Server. How do I find out FQDN of SSO Server
  2. When setting ORACLE_HOME is it going to point to Infrastructure or MidTier
  3. In the doc. it syas "It is necessary to create a user account in the AD server with the same host name where your SSO server is running" Now is this account different than the one we use for AD-OID sync or the same account can be used.
  4. In krb5.conf file kdc = dude.us.oracle.com:88 is the Kerberos server port the same for AD port number. How do i find out the port number
  Thanks

  Hi,
  Thanks for the feedback. Can you please tell me what are following options in the ktpass command and are these required
  to generate keytab file as I didn't see in the documentation and OBE, can I ignore them or are these required.
  +desonly
  -mapOp set
  -crypto des-cbc-md5
  ktpass -princ HTTP/[email protected] -pass <PASSWORD> +desonly -mapuser prdbx2 -mapOp set -out mysso.keytab -crypto des-cbc-md5
  Also currently my krb5.conf looks like:
  [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  [libdefaults]
  default_realm = IIDEV.COM #IIDEV.COM is the default AD Realm
  [realms]
  IIDEV.COM = {
  kdc = prdgem03.iidev.com:88 #FQDN of the AD server
  [domain_realm]
  .iidev.com = IIDEV.COM
  iidev.com = IIDEV.COM
  [kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf
  [appdefaults]
  pam = {
  debug = false
  ticket_lifetime = 38000
  renew_lifetime = 38000
  forwardable = true
  krb4_convert = false
  Just wanted to make sure if the above file is correct. Is there anything else I need to place in the file Your feedback is appreciated.
  Thanks
  Message was edited by:
  WhiteSox

• Integrating Oracle Access Manager with Kerberos (WNA)

  Hi,
  I have working Oracle Access Manager currently being able only to authenticate users against Active Directory. I want to enable WNA. But I am still having issues with correctly configure it:
  I do not know what am I doing wrong.
  I am logged as example.com\testuser into Windows XP, using firefox with WNA enabled for URI example.com. Then I enter http://oracle.example.com which is my Oracle HTTP Server's protected URL, then I am receiving ERROR from Oracle Access Manager: "The user account is locked or disabled. Please contact the System Administrator."
  In OAM Log there is this: <Jun 19, 2012 4:14:15 PM CEST> <Error> <oracle.oam.controller> <OAM-02010> <User account is locked. Authentication failed.>
  Interesting is when I disable WNA support in firefox, then this behavior occurs: fisrt there is this dialog shown "A username and password are being requested by http://oracle.example.com:14100. The site says: "OAM 11g"" --> here I enter example.com\testuser and password. After this new dialog is shown: A username and password are being requested by http://oracle.example.com:14100. The site says: "WebLogic Server", then after entering weblogic/password I receive "The user account is locked or disabled. Please contact the System Administrator."
  In the OAM log this is logged:
  <Jun 19, 2012 4:22:28 PM CEST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : weblogic.>
  <Jun 19, 2012 4:22:28 PM CEST> <Error> <oracle.oam.controller> <OAM-02010> <User account is locked. Authentication failed.>
  Any ideas? I am really stuck here.
  I am using this keytab file:
  [root@oracle centos]# klist -ke /home/oracle/keytab.testuser1
  Keytab name: WRFILE:/home/oracle/keytab.testuser1
  KVNO Principal
  7 HTTP/[email protected] (des-cbc-crc)
  7 HTTP/[email protected] (des-cbc-md5)
  7 HTTP/[email protected] (arcfour-hmac)
  7 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
  7 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
  kinit passes fine:
  [root@oracle centos]# kinit -V HTTP/[email protected] -k -t /home/oracle/keytab.testuser1
  Using default cache: /tmp/krb5cc_0
  Using principal: HTTP/[email protected]
  Using keytab: /home/oracle/keytab.testuser1
  Authenticated to Kerberos v5
  Why and which user is locked? I can lock with the AD user into windows domain, so I assume it is not locked + I checked it in the Active Directory.

  Ok, now I got it working. Sh~t! Why oracle documentation says I should set AD datasource with this parameter:
  User Name Attribute: UserPrincipalName, when this does not work?!
  After changing to User Name Attribute: sAMAccountName my WNA works!!!
  I have been fighting all day with this! The question is why such behavior - if the problem is in wrongly written oracle documentation, or I have problem somewehere else.
  Btw my user in AD looks like this:
  distinguishedName:     CN=John Doe,CN=Users,DC=example,DC=com
  sAMAccountName:     doejohn
  userPrincipalName     [email protected]
  It looks OAM takes "doejohn" from Windows via WNA/Kerberos and searches for this using UserPrincipalName and this is giving no match of course because "doejohn != [email protected]".
  The question is why does it take doejohn and not [email protected] from Windows WNA/Kerberos ???

• Questions on Print Quote report

  Hi,
  I'm fairly new to Oracle Quoting and trying to get familiar with it. I have a few questions and would appreciate if anyone answers them
  1) We have a requirement to customize the Print Quote report. I searched these forums and found that this report can be defined either as a XML Publisher report or an Oracle Reports report depending on a profile option. Can you please let me know what the name of the profile option is?
  2) When I select the 'Print Quote' option from the Actions drop down in the quoting page and click Submit I get the report printed and see the following URL in my browser.
  http://<host>:<port>/dev60cgi/rwcgi60?PROJ03_APPS+report=/proj3/app/appltop/aso/11.5.0/reports/US/ASOPQTEL.rdf+DESTYPE=CACHE+P_TCK_ID=23731428+P_EXECUTABLE=N+P_SHOW_CHARGES=N+P_SHOW_CATG_TOT=N+P_SHOW_PRICE_ADJ=Y+P_SESSION_ID=c-RAuP8LOvdnv30grRzKqUQs:S+P_SHOW_HDR_ATTACH=N+P_SHOW_LINE_ATTACH=N+P_SHOW_HDR_SALESUPP=N+P_SHOW_LN_SALESUPP=N+TOLERANCE=0+DESFORMAT=RTF+DESNAME=Quote.rtf
  Does it mean that the profile in our case is set to call the rdf since it has reference to ASOPQTEL.rdf in the above url?
  3) When you click on submit button do we have something like this in the jsp code: On click call ASOPQTEL.rdf. Is the report called using a concurrent program? I want to know how the report is getting invoked?
  4) If we want to customize the jsp pages can you please let me know the steps involved in making the customizations and testing them.
  Thanks and Appreciate your patience
  -PC

  1) We have a requirement to customize the Print Quote report. I searched these forums and found that this report can be defined either as a XML Publisher report or an Oracle Reports report depending on a profile option. Can you please let me know what the name of the profile option is?
  I think I posted it in one of the threads2) When I select the 'Print Quote' option from the Actions drop down in the quoting page and click Submit I get the report printed and see the following URL in my browser.
  http://<host>:<port>/dev60cgi/rwcgi60?PROJ03_APPS+report=/proj3/app/appltop/aso/11.5.0/reports/US/ASOPQTEL.rdf+DESTYPE=CACHE+P_TCK_ID=23731428+P_EXECUTABLE=N+P_SHOW_CHARGES=N+P_SHOW_CATG_TOT=N+P_SHOW_PRICE_ADJ=Y+P_SESSION_ID=c-RAuP8LOvdnv30grRzKqUQs:S+P_SHOW_HDR_ATTACH=N+P_SHOW_LINE_ATTACH=N+P_SHOW_HDR_SALESUPP=N+P_SHOW_LN_SALESUPP=N+TOLERANCE=0+DESFORMAT=RTF+DESNAME=Quote.rtf
  Does it mean that the profile in our case is set to call the rdf since it has reference to ASOPQTEL.rdf in the above url?
  Yes, your understanding is correct.3) When you click on submit button do we have something like this in the jsp code: On click call ASOPQTEL.rdf. Is the report called using a concurrent program? I want to know how the report is getting invoked?
  No, there is no conc program getting called, you can directly call a report in a browser window, Oracle reports server will execute the report and send the HTTP response to the browser.4) If we want to customize the jsp pages can you please let me know the steps involved in making the customizations and testing them.
  This is detailed in many threads.Thanks
  Tapash

• Satellite P300D-10v - Question about warranty

  HI EVERYBODY
  I have these overheating problems with my laptop Satellite P300D-10v.
  I did everything I could do to fix it without any success..
  I get the latest update of the bios from Toshiba. I cleaned my lap with compressed air first and then disassembled it all and cleaned it better.(it was really clean insight though...)
  BUT unfortunately the problem still exists...
  So i made a research on the internet and I found out that most of Toshiba owners have the same exactly problem with their laptop.
  Well i guess this is a Toshiba bug for many years now.
  Its a really nice lap, cool sound (the best in laptop ever) BUT......
  So I wanted to make a question. As i am still under warranty, can i return this laptop and get my money back or change it with a different one????
  If any body knows PLS let me know.
  chears
  Thanks in advance

  Hi
  I have already found you other threads.
  Regarding the warranty question;
  If there is something wrong with the hardware then the ASP in your country should be able to help you.
  The warranty should cover every reparation or replacement.
  But I read that you have disasembled the laptop at your own hand... hmmm if you have disasembled the notebook then your warrany is not valid anymore :(
  I think this should be clear for you that you can lose the warrany if you disasemble the laptop!
  By the way: you have to speak with the notebook dealer where you have purchased this notebook if you want to return the notebook
  The Toshiba ASP can repair and fix the notebook but you will not get money from ASP.
  Greets

• Question regarding NULL and forms

  Hi all, i have a survey that im working on that will be sent via email.
  I'm having an issue though. if i have a multiple choice question, and the user only selects one of the choices, all the unselected choices return as NULL. is there a way i can filter out anytihng that says "NULL" so it only shows the selected options?
  thanks.
  here is the page that retrieves all the data. thanks
  <body>
  <p>1) Is this your first visit to xxxxxxx? <b><%=request.getParameter("stepone") %></b>
  </p>
  <p> </p>
  <p>2) How did You Learn About xxxxxxx?</p>
  <p><b><%=request.getParameter("steptwoOne") %></b>
    <br>
      <b><%=request.getParameter("steptwoTwo") %></b>
    <br>
      <b><%=request.getParameter("steptwoThree") %></b>
    <br>
      <b><%=request.getParameter("steptwoFour") %></b>
    <br>
      <b><%=request.getParameter("steptwoOther") %></b>
  </p>
  <p> </p>
  <p>3) What was your main reason for visiting xxxxx?</p>
  <p><b><%=request.getParameter("stepthreeOne") %></b>
      <br>
        <b><%=request.getParameter("stepthreeTwo") %></b>
      <br>
        <b><%=request.getParameter("stepthreeThree") %></b>
      <br>
        <b><%=request.getParameter("stepthreeFour") %></b>
      <br>
        <b><%=request.getParameter("stepthreeOther") %></b>
  </p>
  <p>4) did you find the information you were looking for on this site?</p>
  <p><b><%=request.getParameter("stepfour") %>
  <br>
  <b><%=request.getParameter("stepfourOther") %></b>
  </b></p>
  <p>5) Do you plan on using this website in the future?</p>
  <p><b><%=request.getParameter("stepfive") %></b></p>
  <p>6) What is your gender</p>
  <p><b><%=request.getParameter("stepsix") %></b></p>
  <p>7) What is your age group</p>
  <p><b><%=request.getParameter("stepseven") %></b></p>
  8) Would you like to take a moment and tell us how we can improve your experience on xxxxxxxxxx?
  <p><b><%=request.getParameter("stepeightFeedback") %></b></p>

  i was messing around and came up with this. it doesnt remove the null, but if it is null it adds ABC beside it. so i think i might be getting close. i just need to figure out how to replace the null.
  code]
  <b><%=request.getParameter("steptwoFour") %></b>
       <% if (request.getParameter("steptwoFour") == null ) {
       %>
       <% out.print("abc"); %>
       <% }
       %>

• Anyone know how to remove Overdrive books from my iphone that have been transferred from my computer? They do not show up on itunes. I see a lot of answers to this question but they all are based on being able to see the books in iTunes.

  How do I remove Overdrive books from the library that were downloaded onto my computer then transferred to my iphone? The problem is that they do not show up in iTunes.
  I see this question asked a lot when I google, but they always give answers that assumes you can find the books in iTunes either under the books tab, or the audio books tab or in the music. They do not show up anywhere for me. They do not remove from the app like the ones I downloaded directly onto my iphone.the related archived article does not answer it either.  I even asked a guy working at an apple store and he could not help either.   Anybody...?
  Thanks!

  there is an app called daisydisk on mac app store which will help you see exactly where the memory is focused and consumed try using that app and see which folders are using more memory

• Basic question

  Hello, i have a basic question. if i have defined 2 fields in a cube or a dso:
  Name Quantity
  and from the external flat file i get some characters for my quantity field. would my load fail?  for standard dso and for write optimized?
  NOTE: quantity field is a keyfigure defined as numeric.
  and the load coming in has "VIKPATEL" for Quantity field and not numbers.
  thanks

  Hi Vik,
  Yes, the load will fail.
  May be you coud first load this data into BW (into PSA) and set both fields as characters fields. Then you can create DSO, do transformation from this PSA to the DSO, and put your logic as to what do you want to do with those Quantity that is not number (e.g. convert to 0, or 'Not assgined', etc).
  You can use transfer rule, or a clean up ABAP code in the start routine.
  Hope this helps.

• Mid 2010 15" i5 Battery Calibration Questions

  Hi, I have a mid 2010 15" MacBook Pro 2.4GHz i5.
  Question 1: I didn't calibrate my battery when I first got my MacBook Pro (it didn't say in the manual that I had to). I've had it for about a month and am doing a calibration today, is that okay? I hope I haven't damaged my battery? The calibration is only to help the battery meter provide an accurate reading of how much life it has remaining, right?
  Question 2: After reading Apple's calibration guide, I decided to set the MacBook Pro to never go to sleep (in Energy Saver System Preference) and leave it on overnight so it would run out of power and go to sleep, then I'd leave it in that state for at least 5 hours before charging it. When I woke up, the light on the front wasn't illuminated. It usually pulsates when in Sleep. Expectedly, it wouldn't wake when pressing buttons on the keyboard. So, what's happened? Is this Safe Sleep? I didn't see any "Your Mac is on reserve battery and will shut down" dialogues or anything similar, as I was asleep! I've left it in this state while I'm at work and will charge it this afternoon. Was my described method okay for calibration or should I have done something different?
  Question 3: Does it matter how quickly you drain your battery when doing a calibration? i.e is it okay to drain it quickly (by running HD video, Photo Booth with effects etc) or slowly (by leaving it idle or running light apps)?
  Thanks.
  Message was edited by: Fresh J

  Fresh J:
  A1. You're fine calibrating the battery now. You might have gotten more accurate readings during the first month if you'd done it sooner, but no harm has been done.
  A2. Your machine has NOT shut down; it has done exactly what it was supposed to do. When the power became critically low, it first wrote the contents of RAM to the hard drive, then went to sleep. When the battery was completely drained some time later, the MBP went into hibernation and the slepp light stopped pulsing and turned off. In that state the machine was using no power at all, but the contents of your RAM were still saved. Once the AC adapter was connected, a press of the power button would cause those contents to be reloaded, and the machine would pick up again exactly where you left off. It is not necessary to wait for the battery to be fully charged before using the machine on AC power, but do leave the AC adapter connected for at least two hours after the battery is fully charged. Nothing that you say you've done was wrong, and nothing that you say has happened was wrong.
  A3. No, it does not matter.

• Jabber/WebEx Connect SSO Questions

  I've got a few questions around exactly what needs to be done to get SAML working for our Connect accounts to successfully authenticate from Jabber for Windows, Mac, iPhone, and Android.
  We have both a Meeting Center and Connect account under WebEx using Loose Coupled Integration. Just this past week I enabled SAML for our Meeting Center accounts which went off without a hitch with the exception of Meeting Center integration with Jabber, which is now broken with a message about SSO enabled Meeting Sites not being supported (I think this would maybe be fixed if we had Tight Coupled Integration with our two account?).
  Anyway, my questions are...
  For Windows, I understand all clients will need to be reinstalled with the MSI argument for the SSO_ORG_DOMAIN switch I've read about, is that correct? Are there any other switches needed for the reinstall? 
  How will this work with the Mac and mobile clients? There's obviously no command line options to specify for the installations here, will they just know to kick over to my IdP for authentication once they see an email address that falls under an org with SSO enabled? If so, why does the Windows client need to be completely reinstalled and not just know to find the IdP from the Cloud Connect service like Meeting Center does with the Productivity Tools?
  We're just doing this for our Connect Web IM accounts, not attempting any sort of SSO with the phone accounts/UC integration yet.
  Any ideas on getting the Meeting Center integration into Jabber working again?

  I'd suggest posting your question over on the Jabber Pilot forum, as this forum is specific to Jabber Guest questions:
  https://supportforums.cisco.com/community/4551/jabber-pilot-support
  -jim

• My iPad wont let me download apps bc security questions, but when I try to make them it freezes

  Every time I try to download an app it tells me I need to update my security questions, but once I click to make the questions the box goes white. So I'm not sure how to fix it

  The new questions show on your account on http://appleid.apple.com ? If they do then try logging out and back into your account on your phone (assuming that is where you are trying to purchase from) and see if the new questions then show on it.