Open document SSO using trusted authentication.

Similar Messages

• Problem with Open document SSO using websphere.

  Hi All,
  I have a issue,
  We configured AD SSO using websphere and its working fine but when we try to login to the open document SSO using websphere it prompting for login credentials.
  Is there any steps needed for configure open document SSO using websphere.
  We made all the changes in web.xml file for the Open Document ,same as in Infoview web.xml file.
  When we launch the Open Document, it prompts for the login screen, we get username and passwd fields we do not get the authentication drop down,if we give the AD credentials , we get "Enterprise Authentication error" .We feel the default authentication mode is taken as "Enterprise".
  We have made changes in the web.xml for open document to have authentication.dafault as "secWinAD", also ,for test purpose we made the authentication. visible as "true" but the changes were not taken, we have redeployed the war files.
  Any one please help on this.
  Environment Details-
  BOBJ XI R3.1 SP2
  Web Sphere 6.1.0.25  .
  Thank you in advance.
  Thanks & Regards,
  Bill.

  The same settings in the infoviewapp web.xml must be applied on the opendocument web.xml. Also you must be on XI 3.1 FP1 or higher. There is currently an Edge issue being investigated.
  Regards,
  Tim

• Open document sso in XIR2

  Hello,
  I have query on configuring open document sso in XIR2.
  We could configure open document sso on XIR3.1 from the SAP Notes available ,i.e by configuring Kerberos SSO as a prerequisite & changing web.xml file for open document.
  Do we need to follow the same procedure for XIR2,We could not find any related documents on open document sso.
  We have a Env still in XIR2 which is configured in NTLM.We need to configure open document sso for few clients.Do we need to shift to Kerberos? Can we configure open document sso with IIS?
  Please let us know what are our possibilites?
  Thanks
  Collin

  Hello from Spain!
  i'm trying to configure a system with BOXI 3.1 and SSO with AD Kerberos.
  The system is ok when I open infoview main screen and the user doesn't need to put its credentials. Tha's fine.
  But, when I try to open a report with a openDocument url  the system is asking me by user and password. I need to avoid this behaviour. Is it possible?
  This is the url that I'm using:  http://svdapp02:8080/OpenDocument/opendoc/openDocument.jsp?sType=wid&sDocName=ace002
  I have read something about change the web.xml file but I don't know how becasue I can't see an option in this file for Kerberos (I only see one tag for Vintela)
  Please help
  Thanks in advance

• Invalid Login Using Trusted Authentication

  My productive database server always report "Invalid Login Using Trusted Authentication" in udump. Could you tell me what is mean? would it influent oracle running?

  Can we test a single connection using SQL authentication and If still persist, you have to double check that credential
  if it is still trying to connect SQ Server and identify if it is hitting the
  same DB on the same server or other DBs  since I do think this errors is related to other DBs
  Kindly work out  it and please let know me your feedback                                               
  Shehap (DB Consultant/DB Architect) Think More deeply of DB Stress Stabilities

• SSO in Clustered Environment using Trusted Authentication

  Hi All,
  We have setup a clustered BOE 3.1. Our setup is clustered CMS's and remaining servers clustered on 2 separate machines. A cluster of 2 Weblogic managed servers as the web tier. We are using Novel Access Manger to load the balance between to Weblogic managed servers.
  Now how to setup Single Sign-on in this environment. Can we simply do the trusted authentication. For this do we just have to enable the trusted authentication and give the shared secret in CMS1. And change the web.xml at <DeployedLocation>\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF at CMS1.
  Please advice.
  Thanks,
  Rakesh

  Trusted auth will not work without a shared secret. You specify it once in the CMC > authentication, Enterprise and on each web/app in a TrustedPrincipal.conf file. This is only half the battle as you have to select the method you are supplying the username and then provide the username via 3rd party (these steps are not documented except for remote_user and query_string)
  Regards,
  Tim

• MOBI SSO with trusted authentication and form based authentication

  Dear All,
  I am trying to configure Trusted authentication based SSO FOR MOBI, here are the details:
  - SAP BI 4.1 SP04
  - Trusted authentication with HTTP header configurred for BI Launchpad and working fine.
  Now to have SSO from Mobile, I plan to leverage the existing configuration of BI Launchpad and at Mobile level, I want to use authentication type as TRUSTED_AUTH_FORM, instead of TRUSTED_AUTH_BASIC, with the approach: Trusted authentication with HTTP header.
  And
  Provide our app users their X502 certs.
  1. Will the above approach work ??
  2. As per SAP NOTE: 2038165 - SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920 this does not work and is still under investigation from July last year ? So for any community member, has this been found working ??
  I would appreciate your valuable inputs.
  Regards,
  Sarvjot Singh

  Hi,
  According to your post, my understanding is that you want to know the difference of the SharePoint three type user authentications.
  Windows claims-based authentication uses your existing Windows authentication provider (Active Directory Domain Services [AD DS]) to validate the credentials of connecting clients. Use this authentication to allow AD DS-based accounts access to SharePoint
  resources. Authentication methods include NTLM, Kerberos, and Basic.
  Forms-based authentication can be used against credentials that are stored in an authentication provider that is available through the ASP.NET interface
  SAML token-based authentication in SharePoint 2013 requires coordination with administrators of a claims-based environment, whether it is your own internal environment or a partner environment.
  There is a good article contains all the SharePoint Authentications, including how they work and how to configure.
  http://sp77.blogspot.com/2014/02/authentication-in-sharepoint-2013_5.html#.VFcyQ_mUfkJ
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Open document issue using Xcelsius WIH 00013

  All,
  I have Open Document that behaves correctly when I copy and paste it into address bar of a browser. It also works fine when I try to connect from one Webi report to another (so far so good). But when I use the link in Xcelsius, via a URL component, I get the following message:
  Invalid Session: Please close your browser and logon again. (WIH 00013)
  Previous posts on forumtopics.com suggests that this is a Tomcat time out issue. However, other open document calls from other Xcelsius dashboards with open document work without issue. Has anyone seen this before? I have included the hyperlink text. Please note long prompt text is courtesy of a BEx query in BW .
  http://<web server>:8080/OpenDocument/opendoc/openDocument.jsp?iDocID=8547&lsSCompany%20Code%20(Single%20Value%20Entry%2C%20Required)=1000&lsSCurrent%20Fiscal%20Year%20(Single%20Value%20Entry%2C%20Mandatory)=2009&lsSFinancial%20statement%20version=cddFinancialStatements&lsSPosting%20Period%20(Single%20Value%20Entry%2C%20Mandatory)=003&lsSaccount=cdd+21
  Thanks,
  Steve

  The same settings in the infoviewapp web.xml must be applied on the opendocument web.xml. Also you must be on XI 3.1 FP1 or higher. There is currently an Edge issue being investigated.
  Regards,
  Tim

• Needed to downgrade from Mavericks to Mountain Lion to address slowness on older Macbook, now I can't open documents or use my iWorks.

  Hello everyone,
  Recently went in to the Genius bar to pay to fix some aesthetic physical damage on my 2010 Macbook (Applecare expired) and while I was there I asked about some slowness I'd been experiencing but couldn't explain. My helper recommended that I switch from Mavericks back to Mountain Lion due to the amount of memory required by Mavericks. I did that, and it did fix the slowness issue, but now I'm not able to open my saved documents or use Pages. May be affecting other applications too those just happen to be what I use most frequently.
  When I try to open a document it says I need "a newer version of Pages" but I apparently cannot run the newer version of Pages because it says it requires 10.9 or later.
  Help, please? I really need access to my documents.

  Try one of these programs. Then save in another format and attempt to open in Pages.
  LibreOffice
  OpenOffice
  Office Alternatives - Free

• Opening Document's using Document ID (DocIdRedir.aspx) results in Read-Only mode

  Hi,
  The document doesn't have Edit option when it opens through the DocIdRedir.aspx?DocId.
  Tried below below registry update solution and it doesn't provide the checkin/checkout options.
  do we have any other option/solution to enable the edit button with checkin/checkout?
  Request you please provide the solution.
  Registry update Solution:
           Add the following entry into the users registry.
  [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet]  "OpenDocumentsReadWriteWhileBrowsing"=dword:00000001
             For a large number of users this would need to be done via Group Policy of course.
  Thanks,
  Neerender

  Hi  Neerender ,
  According to your description, my understanding is that you want to open document in edit mode with checkin/checkout through the DocIdRedir.aspx?DocId.
  For my test, if I configure my SharePoint 2010 to open office documents using the client application, when I open document through the DocIdRedir.aspx?DocId, the document  will be downloaded , then opened
  by the client application. So I can open it in edit mode.
  If I configure my SharePoint 2010 to open office documents in the browser, when I open document through the DocIdRedir.aspx?DocId, the document will be opened in the office web apps and I can edit it by clicking
  Edit in Brower.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Single Signon using Trusted Authentication - version 3.0

  There was good documentation on this in version 2 but looks like 3.0 it was just copied and not much added.
  I am using the ISAPI redirector and have figured out the single signon but it logs in to the little window that use to contain the login when no sso is enabled.
  So, what piece am I missing?  Do I need a newer ISAPI redirctor?

  "madhav" <[email protected]> wrote in message
  news:3fa67a2c$[email protected]..
  >
  We are trying to enable single sign-on through perimeter authentication.We are
  trying to
  accomplish the same using DefaultAuthenticator andDefaultIdentityAsserter. We
  have the
  following questions
  1. Weblogic documentation says that the following authentication types aresupported
  username/password, certificate and perimeter. Where do I set the perimeterauthentication
  >
  type Ex: In web.xml, I can specify basic, Form or Client-Cert as the authmethod.
  How do I
  specify that the authentication method is perimeter based.
  You use client-cert. This causes the servlet container to look for identity
  assertion tokens
  in request headers and cookies. There is a CR to separate this from the
  authentication
  method.
  2. How do I create a token for the DefaultIdentityAssertor.
  Upon investigation in the AssertIdentity method of theDefaultIdentityAssertor,
  the code
  snippet from DefaultIdentityAssserterProvideImpl.java is the following
  You define your token format and implementation and then write a
  corresponding
  identity asserter. It handles the tokens, not the default identity asserter.
  >
  Is there a mechanism to generate the token for the AuthenticatedUser tokentype.We
  are
  trying to pass the token as a part of the HTTPHeader using the
  URLConnection.setRequestProperty("AuthenticatedUser",tokenString"). Wetried two
  >
  The authenticated user token type really should have been internal and not
  exposed as
  a token type. Don't use it - define your own token type.
  See the dev2dev security provider samples for an example of how to do this.

• B0XI3.1 Infoview SSO using WindowsNT Authentication

  We have recently set up 3.1 on a development server and are currently trying to configure NT authentication and SSO for Infoview. NT authentication appears to be working as when Infoview is launched the logon screen appears and allows you to enter you NT logon details. However my understanding is that if SSO is enabled correctly then the logon screen should be bypassed? I have followed all of the BO documentation and looked at various posts on this forum but still no success. Can anyone think of anything we may have missed?

  >
  Howard Burgess wrote:
  > We were able to implement WindowsNT SSO for infoview on IIS with the following steps:
  >
  > Prereq. Make sure WindowsNT Authentication is working properly. Then move to SSO.
  >
  > 1. Enable SSO in CMC under WindowsNT Authentication.
  > 2. In the IIS Console, check the properties for the businessobjects application. Under the Directory Security tab, edit the anonymouse access and authentication control. Uncheck the anonymous access and only have Integrated Windows Authentication checked. Check WebAdmin and InfoView apps under Enterprise115 to make sure they have the same settings.
  > 3. Modify WebAdmin's web.config.
  >        Add the following lines of code within the <system.web> element if not already there:
  >                    <identity impersonate="true" />      
  >         <authentication mode="Windows" />
  > 4. Modify InfoView's web.config
  >        Add/change the following lines of code within the <system.web> element if not already there:
  >                    <identity impersonate="true" />      
  >         <authentication mode="Windows" />
  >        Modify keys within <WebDesktopSettings> element:
  >                    <add key="authenticationDefault" value="secWindowsNT" />
  >                    <add key="authenticationVisible" value="false" />
  >                    <add key="ssoEnabled" value="true" />
  > 5. Restart the IIS Server.
  >
  > Hope this helps someone.
  The above is only valid for XIR2, these application directories do not exist in 3.1
  This appears to be a bug
  Regards,
  Tim

• How do we use SSO for both Windows AD and Trusted authentication?

  We want to have the majority of our users access the BO 4 BI Launchpad using SSO with Windows AD authentication.  We have set this up and it's working ok.  We also have a subset of external users and need to configure SSO with Trusted authentication for their Enterprise accounts.  Support says we can only have SSO for one authentication type.  I'm assuming we can work around this by installing a 2nd Tomcat instance on our Linux server.  Has anyone done this type of config successfully?  Any other ideas would be greatly appreciated.  Thanks!

  Hi Collins,
  BOE's CMS can be accessed from multiple application servers.
  Please have a look on this new article [here|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00240702-8343-2f10-ed9a-85ece14c93db] .
  You may use this method for other application servers(not only NW) but just dont add the file "web-j2ee-engine.xml" as its not  needed.
  regarding sections 4.2.4 on the document, On one application server just set "authentication.default" property under the file BIlaunchpad.properties, to "secWinAD"(for win AD). and on the other set it to "secEnterprise".
  please report any problems you may encounter,
  thanks,
  Idan

• Linking a WEBI report through hyperlink in a webpage using open document

  Hi All,
  I have a hyper link in a web page which when clicked should open a WEBI report. I created it using the open document feature.
  Once clicking on the link, InfoView login credential page is displayed. After logging in the report runs.
  My client does not want the login page to be displayed since most of the users does not remember their password (since SSO is implemented).
  He wants to bypass this login page so that most of the users can directly view the reports.
  Question:
  Is there a way to achieve this i.e without asking for login credentials or by passing this?
  Possibilities :
  1: To create ID's for all the people (which I think is not a feasible option in my project)
  2: Create a guest account with minimum privileges and share the password with all the users.
  Note:
  1: I use BO XI R 3.1.
  2: No SDK is installed to do any programming.
  Any suggestion are most welcome.
  Thanks in advance
  Shreyas

  Hi Shreyas,
  Manual Easy Way for doing the activity in SAP Business Objects 4.0:
  This method is useful if we have a special system account that we want everyone to use.
  You will notice that all we do is generate a logon token using the appropriate username, password and CMS variables. Then we append the token onto ivsLogonToken.
  Note: The numbers on the url after /BOE/portal represents the timestamp of the last patch or install.  You can put whatever you want under the number section and Business Objects will automatically redirect to the appropriate start.do
  Step I:
  Go to the SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\eclipse\plugins\webpath.InfoView directory and edit custom.jsp
  Step II:
  You can copy the contents from the custom.jsp that I’ve provided below to your custom.jsp.
  Cutom.JSP File
  <%@ page import="com.crystaldecisions.sdk.exception.SDKException" %>
  <%@ page import="com.crystaldecisions.sdk.framework.*" %>
  <%@ page import="com.crystaldecisions.sdk.occa.infostore.*" %>
  <%@ page import="com.crystaldecisions.sdk.occa.security.*"%>
  <%@ page import="java.net.*"%>
  <%@ page import="com.crystaldecisions.enterprise.*"%>
  <%@ page import="com.crystaldecisions.sdk.plugin.admin.*"%>
  <%@ page import="java.sql.*"%>
  <%@ page import="com.businessobjects.webutil.Encoder" %>
  <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
      pageEncoding="ISO-8859-1"%>
  <%
  //BO Session and redirect to Infoview
  IEnterpriseSession enterpriseSession;
  /* * Set Enterprise Logon credentials. */
  final String BO_CMS_NAME = "bi4server";
  final String BO_AUTH_TYPE = "secEnterprise";
  final String BO_USERNAME = "Daya";
  final String BO_PASSWORD = "admin@123";
  ILogonTokenMgr logonTokenMgr;
  String defaultToken = "";
  * Log onto Enterprise
  boolean loggedIn = true;
  try {
  //Create session token
  enterpriseSession = CrystalEnterprise.getSessionMgr().logon(Daya,admin@123, BI4SERVER,Enterprise);
  logonTokenMgr = enterpriseSession.getLogonTokenMgr();
  defaultToken = logonTokenMgr.createWCAToken("", 20, 1);
  //Redirect with token attached to the ivsLogonToken parameter
  response.sendRedirect("http://"+BO_CMS_NAME+":8080/BOE/portal/1205291547/InfoView/logon/start.do?ivsLogonToken="+Encoder.encodeURL(defaultToken));
  catch (Exception error)
  loggedIn = false;
  out.println(error);
  %>
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
  <title>Insert title here</title>
  </head>
  <body>
  </body>
  </html>
  Edit the username,Password & BOBJ Server Name'in BOLD Letter
  Step III:
  Stop tomcat, then delete contents in the SAP BusinessObjects\Tomcat6\work directory.
  Then start tomcat again and the work directory will be regenerated with new code.
  Step IV:
  Trusted Authentication:
  Trusted Authentication is a component of Enterprise authentication that integrates with third-party single sign-on solutions, including Java Authentication and Authorization Service (JAAS). Applications
  that have established trust with the Central Management Server can use Trusted Authentication to allow users to log on without providing their passwords.
  This method is really cool because users don’t even have to know their passwords.  Basically with this method you can log into another system and if that system has the appropriate user name, you can pass it to the custom.jsp and then it will log you into BI Launchpad.
  In addition, you don’t need to create any java code for the enterprise token setup.
  Step V:
  In the CMC, go to Authentication, then select Enterprise.  Check Trusted Authentication is enabled, then click on New Shared Secret.  Finally download the shared secret key and keep it somewhere secure
  Step VI:
  Copy global.properties from <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\default into <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom.  Then using Notepad or another text editing utility, edit the following properties
  sso.enabled=true
  trusted.auth.user.retrieval=WEB_SESSION
  trusted.auth.user.param=UserName
  trusted.auth.shared.secret=<secret code from properties file you created in step 2>
  Step VII:
  Go to the SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\eclipse\plugins\webpath.InfoView directory and edit custom.jsp
  <\!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  "http://www.w3.org/TR/html4/loose.dtd">
  <%@ page language="java" contentType="text/html;charset=utf-8" %>
  <%
  //custom Java code
  request.getSession().setAttribute("MySecret","32efbfbd35efbfbdefbfbd4363efbfbdefbfbd694aefbfbdefbfbd227530efbfbd5742efbfbd13efbfbd2befbfbd1fefbfbdefbfbdefbfbdefbfbd4e49efbfbd41550cefbfbd15703619d8b8efbfbd6cefbfbdefbfbd57efbfbd0defbfbdefbfbdefbfbd0605efbfbd6dc59b2728efbfbd");
  request.getSession().setAttribute("UserName", "Daya");
  %>
  <html>
  <head>
  <title>Custom Entry Point</title>
  <script type="text/javascript">
  function goToLogonPage() {
  window.location = "logon.jsp";
  </script>
  </head>
  <body>
  <a href="javascript:goToLogonPage()">Click this to go to the logon page of BI launch pad</a>
  </body>
  Edit the username(Daya) variable
  Step VIII:
  Stop tomcat, then delete contents in the SAP BusinessObjects\Tomcat6\work directory.
  Then start tomcat again and the work directory will be regenerated with new code.
  Hope this help you as well.
  Thanks,
  Daya

• Open document using QAWS Xcelcius.

  Hi All,
  The OpenDocument link is for an object with QAAWS and Xcelsius and when we hit on the link it pops out with error "The session has been logged off or has expired. (FWM 01002) ".
  The work aroud is that we need to login to infoview first and then open the link it works fine.
  We are using Open doc SSO using ( Vintela SSO )in XI3.1which is working fine.
  When i gone through the knowledge base i could see that there is a know issue with Xcelsius using SSO and it got resloved in SP2 so will this gonig to effect my open document link.
  Thanks for understanding..

  I've had opendocument SSO working fine with vintela since 3.1, but I haven't tested every scenario. It could be a bug, I'll look up the adapt tomorrow to see the details.
  As far as I knew this function was working fine for quite a few of our customers. I set it up my self for several.
  EDIT: I looked at the adapt and apparently is was an xcelsius bug only not actually with opendocument. It is set to be fixed in SP2 and another patch for xcelsius clients only
  Regards,
  Tim

• Trusted Authentication

  Is it possible to open session with BO server using Trusted Authentication?
  Regards,
  Aleksejs

  Yes, you can.  (I only have the java code summary - but it should give you an idea for what to do in .NET)
  SYNOPSIS:
  How to use Trusted Authentication with SSO to InfoView using Enterprise Session?
  There may be a situation where only the enterprise username is known in the custom application. Trusted Authentication can come pretty handy.
  SOLUTION:
  Setup the Trusted Authentication first:
  I. Enable Trusted Authentication in BOE.
  1. Logon to Central Management Console with Administrator
  2. Click on "Authentication"
  3. Check the "Trusted Authentication is enabled"
  4. Enter the "Shared secret"
  5. Click Update
  II. Create/edit TrustedPrincipal.conf
  1. Create or open C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterpise\TrustedPrincipal.conf
  2. Type in u201CSharedSecret=<shared secret value>u201D (without double quotes)
  3. Save the file.
  III. Deploy custom JSP
  1. Create a JSP in <webapps>/businessobjects/enterprise115/desktoplaunch/InfoView/logon.
  2. Cody and paste in the following code:
  <%@ page import = "com.crystaldecisions.sdk.framework.CrystalEnterprise"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.ISessionMgr"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.IEnterpriseSession"%>
  <%@ page import = "com.crystaldecisions.sdk.occa.security.ILogonTokenMgr"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.ITrustedPrincipal" %>
  <%
  // Logon to CMS using without password
  ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");
  IEnterpriseSession enterpriseSession = sessionMgr.logon(trustedPrincipal);
  // Store Enterprise session in HttpSession     
  session.setAttribute("MyEnterpriseSession", enterpriseSession);
  // Construct URL and redirect to InfoView start page.
  // ivsEntSessionVar is the reference to the HttpSession variable.
  String url = "http://<server name>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/start.do?ivsEntSessionVar=MyEnterpriseSession";
  response.sendRedirect(url);
  %>
  3. Go to the URL http://<servername>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/logon/<JSP file>.jsp
  Note: JSP does not have to be in /desktoplaunch/InfoView/logon folder but JSP should be in >/businessobjects context.
  Extra Note -
  A new API method has been introduced with BEXI R2 MHF1 for Trusted Authentication that removes the need for the TrustedPrincipal.conf file.  You can now specify the shared secret using the following method:
  ISessionMgr.createTrustedPrincipal(java.lang.String userName, java.lang.String cmsName, java.lang.String sharedSecret)
  So, you can eliminate Part II from the steps above and use this method call:
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>", u201Csharedsecretu201D);
  instead of the old method:
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");