Oracle externally-authenticated and security

Similar Messages

• Oracle Virtual Directory vs. Oracle External Authentication Plug-in

  I am working in Windows 2003 Server platform and I have Oracle Portal 10g R2 with Oracle Single Sign On 10g R2 setup. I also have Microsoft Active Directory setup. I want to use Microsoft Active Directory users from Oracle Portal and as per my understanding I could use Oracle External Authentication Plug-in or Oracle Virtual Directory for this purpose. I would like to use Oracle Virtual Directory if possible. Could someone please tell me if I could use Oracle Virtual Directory or not?
  Thanks.

  Yeah, I could use Oracle External Authentication Plug-in, but I am having issues with running the oidspadi.sh script on my Windows 2003 server environment. I am running this script using Cygwin's latest software, but for some reason I get the following error message.
  : command not found8:
  : command not found8:
  : command not found3:
  : command not found7:
  : command not found1:
  : command not found8:
  : command not found9:
  : command not found0: clear
  OID Active Directory Plug-in Configuration
  Please make sure Database and OID are up and running.
  : command not found7:
  : command not found0:
  oidspadi.sh: line 103: syntax error near unexpected token 'fi'
  'idspadi.sh: line 103:' fi
  Therefore, I was trying to find an alternative solution, which will be using Virtual Directory. Right now, I have installed Oracle Virtual Directory on my testing system and I have both Active Directory server and OID server part of LDAP Browser. My goal is to using Oracle Portal to log-in and first look for the user in OID if not found then look in Active Directory. Can this be accomplished using Oracle Virtual Directory?
  Please let me know.

• Need info regarding Oracle UCM Accounts and Security Groups behaviour

  Need information regarding Oracle UCM Accounts and Security Groups behaviour.
  Oracle UCM version: 11.1.1.5.0
  Steps:
  1. Log in with "weblogic" user and created a content with id "content1"
  2. Applied "@acc1(R)" and "TestGroup1" to the cotent created in step 1
  3. Log out
  4. Log in as "acc1user1", the user is not able to see the "content1"
  5. Log out
  6. Log in as "role1user1", the user is not able to see the "content1"
  Account and Group information:
  1. User "acc1user1" is part of "@acc1(R)"
  2. User "role1user1" is part of "role1(R)" and is mapped to "TestGroup1" in UCM
  Expected:
  Both "acc1user1" and "role1user1" should be able to see "content1" as they have at least Read permission.
  Please help me understand why the users are not able to see the content.

  ACLs, like Accounts, are optional security setting which may add on some extra functionality to mandatory security groups. Likewise, the resulting permission is taken as an intersection of SG and ACLs.
  But in the second part the number of set of users is huge (approx say 600)I don't get this completely. Does this mean that those "sets of users" (users who see the same data) are distinct and that there is 600 of such groups?
  If you read thoroughly the manual I sent earlier, there is a recommendation that there should be maximum 50 security groups, and you should use accounts, should this number be exceeded. This means you could have all the documents in one security group (and have one common role with Read permission), but combine it with accounts. ACLs are not a good choice here - their performance and manageability is much worse than of accounts. ACLs are primarily used if you expect security settings to change during the lifetime (e.g. a project manager adds temporarily rights to access an item to another user, and revokes it when the user finishes his or her work).
  Note that accounts as well as permissions of users within accounts can also be mapped externally (from LDAP/AD) and it usually follows some kind of org chart.
  I'd feel more comfortable not to speak about users, security groups, roles, etc., but about some real-life objects and scenarios.

• Simple Authentication and Security Layer

  Hi All,
  What is Simple Authentication and Security Layer (SASL)?? and what it's function in Oracle Beehive??
  Thanks,
  Dha_Suh

  wikipedia :
  Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. Authentication mechanisms can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 is an example of mechanisms which can provide a data security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.
  SASL was originally specified in RFC 2222, authored by John Gardiner Myers while at Carnegie Mellon University. That document was obsoleted by RFC 4422, edited by Alexey Melnikov and Kurt Zeilenga.
  SASL is an IETF Standard Track protocol, presently a Proposed Standard.

• Problem with Oracle external procedures and Microsoft Active Directory

  Hi,
  Our server was recently updated to use Microsoft Active Directory. However, we noticed that all external procedure calls keeps on failing with ORA-28575: unable to open RPC connection external procedure agent. Everything was working fine before we migrated to Active Directory which is why we can say that the listener is configured correctly.
  Any idea on how we can make extproc calls with Active Directory?
  thanks.

  Michael,
  Oracle Forms does support Single Sign-On (SSO). Take a look at Oracle Containers for J2EE Security Guide: OC4J Java Single Sing-On. Also take a look at the Oracle Forms 10g Sample Code and scroll to the SSO demo under the Forms Services Demo section. There are also, numerous other documents available via Google. ;-)
  Craig B-)
  If someone's response is helpful or correct, please mark it accordingly.

• 802.1x multipoint authenticator and security issue

  Hi everybody
  Let say we have following set up:
  host1
  host2   ) ----------------hub------ f1/0-switch( authenticator)-------------------------Radius server.
  host3
  The switch is configured as follows.
  Switch(config)#interface FastEthernet 1/0
  Switch(config-if)#dot1x port-control auto
  Switch(config-if)#dot1x host-mode multi-host
  Let  say only host1 has valid credentials and the rest hosts i.e h2,h3 are  rogue hosts.  host1 sends authentication request and successfully  authenticated and switch transition its port to an authorized state.  But does it not mean  the other hosts h2 and h3 which were not  authenticated but yet are able to access network ?
  thanks and have a great weekend.

  This board is more for Wireless Security not LAN. but I would think it's because you are connecting through a hub instead of a switch. Hubs share the data, so when the switch gets the auth for the valid client it turns that port as it should.
  Now an invalid client connects and because the port is already thinking the client is valid, it passes all the traffic.
  Make sense?
  Steve
  Sent from Cisco Technical Support iPhone App

• Oracle Proxy Authentication and WLS 8.1/CMP

  Hey folks,
  Is there any way to configure WLS 8.1 to automatically set the Oracle CLIENT_IDENTIFIER
  variable or use Oracle Proxy Authentication on JDBC connections? I'm interested
  in using Oracle auditing with my CMP entity beans, but would like to capture the
  app tier user identity, instead of the data source pool user.
  Thanks.

  "Brent Smith" <[email protected]> wrote in message
  news:3fa15807$[email protected]..
  >
  Hey folks,
  Is there any way to configure WLS 8.1 to automatically set the OracleCLIENT_IDENTIFIER
  variable or use Oracle Proxy Authentication on JDBC connections? I'minterested
  in using Oracle auditing with my CMP entity beans, but would like tocapture the
  app tier user identity, instead of the data source pool user.
  I would ask in the weblogic.developer.interest.jdbc newsgroup.

• Weblogic portal external authentication and authorization

  In our project we are using Weblogic portal 10.3 and Oracle 11g as back end. While creating the domain, I have specifed Oracle as back end. All the portal relevant schemas are created in Oracle database. For our application, We have created a specific schema. In a project specific schema, we have user table which containing fields like user name, password, email and other relevant fields. How to configure in weblogic to access this table for authentication instead of the user table in portal schema? As well as I need to know, in a admin console if a new user is created then the details will be stored in a portal schema table or in a project schema user table? Ultimately, I want to configure the project specific table to store the user details when the user created via admin console.
  Need this urgently.

  Hi Rajesh
  Basically you need Custom Authenticator to store and authenticate all your users from your own specific DB Tables (that has user information). For this you need to develop Custom Authenticator. Please note that this has nothing to do with the Portal. This is core weblogic security stuff. I compiled some links for you. Incase if you have Oracle Support, open a ticket with them Oracle support do have a fully working sample custom RDBMS Authenticator that stores and authenticates Users from specific set of custom Tables. They will send you right away. I hope someone in these forums may have this sample also in their personal blogs/forums.
  And, Yes, you can force your Custom Authenticator to be the default one and to store the users when you create the users in Admin Console. Basically when you create the users you should see the option like to create the users in which Authentication Provider like that.
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/atn.html (Authentication Providers)
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/atn.html#wp1145342 (Do You Need to Develop a Custom Authentication Provider?)
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/atn.html#wp1089150 (How to Develop a Custom Authentication Provider)
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1204261 (Changing the Order of Authentication Providers)
  Thanks
  Ravi Jegga

• External authentication and deep linking

  Can someone explain deep linking to me? All of the information I can find on this seems to come from a time before session info was required in the links. How do I link into an APEX app when I don't know the session info? This app has an "automatic" login based on the headers that are tacked on by the security proxy that handles logins.
  I have a custom page sentry; my Apex app is only accessible via a security proxy that sets a username in the header. So, if you can get to my app, you're authenticated. My page sentry then just checks if that authenticated user is in it's user table, inserts if not, and then sets some application items with some info from the user table. I just modified the mod_nmlt example to do this (and I have noooooo idea what some of that example is doing, so I left it alone as much as possible).
  I can make a link that has a recent sessionid in it, and then a new sessionid gets generated and it works as I hope, but otherwise I get "null sessionid" or "page not found" errors, depending on what I try to stick in for bogus sessionid.
  Here's my page sentry:
  create or replace FUNCTION Custom_Page_Sentry_Func (p_htmldb_user VARCHAR2 DEFAULT 'APEX_PUBLIC_USER' )RETURN BOOLEAN AS
  l_authenticated_username VARCHAR2(256) := nvl(UPPER(OWA_UTIL.GET_CGI_ENV('HTTP_IV_USER')),'NOT_AF_AUTH');
  IS_USER NUMBER := 0;
  L_CURRENT_SID NUMBER;
  v_userid NUMBER;
  v_user_baseid NUMBER;
  v_user_basename VARCHAR2(4000);
  BEGIN
  --The server is behind the login system, so if the ApEx pages are shown, the login has succeeded (and we will find the cookie)
  -- If logged in user is not a app user (doesn't exists in USERS table)
  -- THEN insert into app user table
  SELECT COUNT(*)
  INTO IS_USER
  FROM USERS
  WHERE UPPER(USERNAME) = l_authenticated_username ;
  IF IS_USER = 0 THEN
  INSERT INTO USERS (USERNAME,USERSTUFF) VALUES (l_authenticated_username,'111111111');
  END IF;
  apex_application.g_user := l_authenticated_username;
  SELECT USERID, BASEID, BASENAME INTO v_userid, v_user_baseid, v_user_basename FROM USERS
  LEFT OUTER JOIN CONTACT_PROFILES USING (USERID)
  LEFT OUTER JOIN BASES USING (BASEID)
  WHERE upper(USERNAME) = l_authenticated_username;
  apex_util.set_session_state('F105_USERID', v_userid);
  apex_util.set_session_state('F105_USER_BASEID', v_user_baseid);
  apex_util.set_session_state('F105_USER_BASENAME', v_user_basename);
  L_CURRENT_SID := WWV_FLOW_CUSTOM_AUTH_STD.GET_SESSION_ID_FROM_COOKIE;
  IF WWV_FLOW_CUSTOM_AUTH_STD.IS_SESSION_VALID THEN
  -- session is valid
  WWV_FLOW.G_INSTANCE := L_CURRENT_SID;
  IF l_authenticated_username = WWV_FLOW_CUSTOM_AUTH_STD.GET_USERNAME THEN
  WWV_FLOW_CUSTOM_AUTH.DEFINE_USER_SESSION(P_USER => l_authenticated_username ,
  P_SESSION_ID => L_CURRENT_SID);
  RETURN TRUE;
  ELSE
  -- username mismatch. Unset the session cookie and redirect back here to take other branch
  WWV_FLOW_CUSTOM_AUTH_STD.LOGOUT(P_THIS_FLOW => V('APP_ID'),
  P_NEXT_FLOW_PAGE_SESS => V('APP_ID') || ':' ||
  NVL(V('APP_PAGE_ID'),
  0) || ':' ||
  L_CURRENT_SID);
  WWV_FLOW.G_UNRECOVERABLE_ERROR := TRUE; -- tell htmldb engine to quit
  RETURN FALSE;
  END IF;
  ELSE
  -- application session cookie not valid; we need a new htmldb session
  WWV_FLOW_CUSTOM_AUTH.DEFINE_USER_SESSION(P_USER => l_authenticated_username ,
  P_SESSION_ID => WWV_FLOW_CUSTOM_AUTH.GET_NEXT_SESSION_ID);
  WWV_FLOW.G_UNRECOVERABLE_ERROR := TRUE; -- tell htmldb engine to quit
  IF OWA_UTIL.GET_CGI_ENV('REQUEST_METHOD') = 'GET' THEN
  WWV_FLOW_CUSTOM_AUTH.REMEMBER_DEEP_LINK(P_URL => 'f?'
  || WWV_FLOW_UTILITIES.URL_DECODE2(OWA_UTIL.GET_CGI_ENV('QUERY_STRING')));
  ELSE
  WWV_FLOW_CUSTOM_AUTH.REMEMBER_DEEP_LINK(P_URL => 'f?p=' ||
  TO_CHAR(WWV_FLOW.G_FLOW_ID) || ':' ||
  TO_CHAR(NVL(WWV_FLOW.G_FLOW_STEP_ID,
  0)) || ':' ||
  TO_CHAR(WWV_FLOW.G_INSTANCE));
  END IF;
  WWV_FLOW_CUSTOM_AUTH_STD.POST_LOGIN( -- register session in apex sessions table, set cookie, redirect back
  P_UNAME => l_authenticated_username ,
  P_FLOW_PAGE => WWV_FLOW.G_FLOW_ID || ':' ||
  NVL(WWV_FLOW.G_FLOW_STEP_ID,
  0));
  RETURN FALSE;
  END IF;
  --RETURN TRUE;
  END Custom_Page_Sentry_Func;

  Great, maybe I'm just composing links wrong? So, if I use a link like so:
  https://www.my.host.com/pls/apex/f?p=105:1
  I get:
  ORA-01400: cannot insert NULL into ("FLOWS_030000"."WWV_FLOW_DATA"."FLOW_INSTANCE")
  ERR-1029 Unable to store session info. session= item=2217309821144750
  But, if I use a link like so:
  https://www.my.host.com/pls/apex/f?p=105:1:1529940631702824
  (where that sessionID is one that was recently used)
  Then I get redirected to the page with a new sessionid, like so:
  https://www.my.host.com/pls/apex/f?p=105:1:1992194699278121
  But, if I use a link like so:
  https://www.my.host.com/pls/apex/f?p=105:1:1111111111111111
  (just trying to use a generic bogus sessionid, to hardcode in my link)
  Then I get an http404-file not found (The page cannot be found) error.
  Am I doing something wrong?

• Oracle.ldap.util and secure connections

  Greetings,
  I am connecting to our corporate LDAP (Sun One) server to retrieve Users so as to produce lists of names, etc. In development, the connection was not secure, however in production it is. I need some advice on what the method to use would be for handling the secure connection.
  It looks like I am unable to get the RootOracleContext object from which to getSubscriber(). Please help!
  And happy holidays!
  Thanks, Ginni

  Bump

• External Authentication in EAS using MSAD

  <p>We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?</p>

  <p>Hi Krista,</p><p> </p><p>Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild.</p><p> </p><p>your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD.</p><p> </p><p>Please use the following link if you need furtherinformation.</p><p> </p><p>http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm</p><p> </p><p>here is the sample active directory format.</p><p> </p><p><msad name="<b><a href="ldapserver.htm">msadServer</a></b>"> <trusted><b><ahref="trust.htm">false</a></b></trusted> <url><b><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></b></url><userDN><b>cn=UserName</b></userDN><password><b>UserPassword</b></password> <user><url><b>ou=people</b></url></user> <group> <url><b>ou=Groups</b></url> </group></msad></p>

• External authentication using Headervariable

  Hi SAP Experts
  We have configured External authentication for WEM using Headervariable.We are using BI Java 7.0
  External authentication is working fine using Headervariable Login module for URL http://<WEb Server hostname>/irj which redirect to http://<J2EE hostname>:<port #>/irj
  As you all know that we also use http://<J2EE hostname>:<port #> for Administation point of view where many options available like user management, SLD, Webdynpro, NetWeaver Administation etc.We have not configured this URL for External Authentication  and also do not want to configure but when tyring to access any administration option on this, portal prompts default logon page and after entering Portal UserID/Password we get message like " No Loginmodules configured for Header"
  I do not know why system display this message
  Please help me if anyone has experience to resolve this issue, as we want to use URL http://<J2EE hostname:<port #>, which should prompts Portal Logon screen and after entering Portal userid/password we should access the administration screen without afftecting our External Authentication configuration for URL http://<WEb Server host>/irj
  Thanks in Advance
  Thanks with Regards
  Deelip Kumar

  Hi Deelip,
  my earlier post referred to an additional authscheme that you may have created. If you have done so, please remove it. If you have checked this, there still is a predelivered authscheme called header, wich references a login stack called header. This login stack template does not exist as a default.
  In this case, you may have assigned this authscheme (header) to some component, like an iview. How this works is explained in the docs <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm">here</a> and<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/a334ed5bbfd5488b8cdd67b2c594a9/frameset.htm">here</a> for example.
  If you have done so, this reference to the authscheme header may trigger the lookup of the login stack template called header, which does not exist and thus leads to the error.
  For detailed error analysis, I would recommend to search the security log and the portal logs for indications where the source of this error might be.
  Regards,
  Patrick

• PHP external authentication

  Hi:
  Has anyone successfully implemented a php based external
  authentication using cocomo in an AIR application? I am having a
  hard time following the documentation provided with the cocomo SDK.
  This is what I have in place:
  An AIR application which lets users inside using a login and
  password which they registered for. The login/registration system
  is a PHP5/MySQL5 backend. I saw the examples section for External
  Authentication and couldn't what the hills was going on there.
  I know this may sound very "noob" but can anyone walk me
  through or provide a step-by-step tutorial. I am working on an
  awesome AIR application and will soon release it for free once I
  get this social media part integrated into it. Please help me out
  guys.
  Thank you very much in advance.
  Praneet

  Hi Nigel:
  Thank you very much for replying to my post. Ok, so this is
  what I understood from your post and what I am going to do:
  1.) send the username to the PHP script using HTTPService
  2.) my PHP script will contain the code attached to this post
  3.) in my MXML file this is what I have
  quote:
  private function init():void {
  //roomURL = Application.application.parameters["roomURL"];
  //authToken =
  Application.application.parameters["authToken"];
  //cSession.login();
  cocomoService.send();
  private function cocomoResult():void {
  Alert.show(cocomoService.lastResult.authkey.toString());
  authToken = cocomoService.lastResult.authkey.toString();
  auth.authenticationKey = authToken;
  cSession.login();
  ]]>
  </mx:Script>
  <mx:HTTPService id="cocomoService" url="
  http://localhost/mycocomo.php"
  result="cocomoResult()" method="POST">
  <mx:request xmlns="">
  <user>some user in my database</user>
  <role>100</role>
  </mx:request>
  </mx:HTTPService>
  <rtc:AdobeHSAuthenticator id="auth"/>
  <session:ConnectSessionContainer
  roomURL="
  http://connectnow.acrobat.com/myapp/myroom"
  id="cSession"
  authenticator="{auth}"
  autoLogin="false">
  4.) and nothing happens. Although the Alert popup shows me
  the reply I got back from my localhost which does seem like an
  authToken to me...I can paste the authtoken here if it is ok to..
  Thanks in advance.
  Praneet

• External Authentication Half Working

  I'm having a strange issue with external authentication and PHP. I've got the PHP code set up correctly (I believe) and I pass the authentication token to the Flex application via flashvars and when the application loads the roster pod shows everyone logged into the room including the user just added. But I can't interact with any other components like the whiteboard and the simplechat.
  Has anyone ever seen that? Any idea what might be going on? The AuthenticationSuccess event seems to fire correctly but I still can't interact with anything.
  =Ryan
  [email protected]

  I am having a very similar problem, although I am not authenticating externally first.  I am able to authenticate inside a flex 4 b2 app and get a list of people in the chat room, but whenever I post anything, I get null exceptions all over the place in the AFCS rtc package.
  On another note, does anyone know if there is an open repo I can pull recent updates from for AFCS?

• Oracle BAM Authentication Question

  We are facing a strange problem related to Oracle BAM authentication and I'd like to ask for opinions or suggestions.
  - We have a BAM Server called MYSERVER
  - MYSERVER is a Win2003 and BAM was installed using MYSERVER\Administrator account
  - We have a domain called MYDOMAIN
  - MYSERVER is part of domain MYDOMAIN and this domain is registered in MYSERVER as a trusted domain.
  - We have four user groups created in domain, not in bam server:
  1) MYDOMAIN\bamAdmin
  2) MYDOMAIN\bamArchitect
  3) MYDOMAIN\bamDesigner
  2) MYDOMAIN\bamUser
  - In Windows 2003 we added the following users to the groups below:
  user MYDOMAIN\adm was added to group MYDOMAIN\bamAdmin
  user MYDOMAIN\arch was added to group MYDOMAIN\bamArchitect
  user MYDOMAIN\des was added to group MYDOMAIN\bamDesigner
  user MYDOMAIN\usr was added to group MYDOMAIN\bamUser
  - In Administrator>Login Management
  We didn't create login for users, only groups just described:
  MYDOMAIN\bamAdmin
  MYDOMAIN\bamArchitect
  MYDOMAIN\bamDesigner
  MYDOMAIN\bamUser
  - In Administrator>Roles Management
  We selected each Role and added the following groups
  Administrator > MYDOMAIN\bamAdmin
  Report Architect > MYDOMAIN\bamArchitect
  Report Creator > MYDOMAIN\bamDesigner
  Report Viewer > MYDOMAIN\bamUser
  - After that, we return to Administrator > Login Management to review groups
  There is an yellow question mark indicating bam cannot validate this login in domain controller.
  This login is not currently known to be a valid login.
  We click in one of the described groups, such as
  MYDOMAIN\bamUser
  And then in "View Roles" link.
  We receive the following message
  ADC Server exception in GetUserGroups(): 3.
  Source: "ActiveDataCache" ID: "ADCServerException"
  Logon failure: unknown user name or bad password
  Source: "Oracle.BAM.Common.Core"
  Sometimes we get: "Network path not found" and finally we get this message:
  "The account used to run the Oracle BAM Active Data Cache does not have permission to retrieve the list of groups for this user. Contact your network administrator."
  - If MYDOMAIN\usr that was added to group MYDOMAIN\bamUser try to access BAM Viewer module or bam home page (http://myserver/oracleBam), he receives the same error in welcome screen.
  - User MYDOMAIN\usr can login to MYSERVER server in domain MYDOMAIN, so server recognizes the domain and user.
  - In Windows NT Alert Viewer we have several errors/warnings registered, telling that BAM could not validate user/login and also "RPC Server Unavailable" errors.
  - I tried changing ADC Service user credentials to MYDOMAIN\Administrator, but ADC Service didn't start anymore, so we have to reconfigure to MYSERVER\Administrator.
  - In ADC Log we have several messages indicating BAM could not validate user:
  2008-01-22 17:26:11,875 [User Validation Thread] WARN - ActiveDataCache Caught exception while validating user MYDOMAIN\usr: Logon failure: unknown user name or bad password
  And when we changed credentials to MYDOMAIN\Administrator we got messages indicating bam stores some type of key/encrypt information by user who installed product (MYSERVER/Administrator):
  2008-01-22 16:49:16,062 [1484] ERROR - ActiveDataCache DPAPI was unable to decrypt data. CryptUnprotectData failed. Error -2146893813: Key not valid for use in specified state.
  Somebody may point us what could be wrong, perhaps a tip or doc about WINDOWS/BAM auth integration?
  Metalink has few information about that, such as Note: 412555.1, but from network view it seems to be correct because we may log on MYDOMAIN\usr to MYSERVER successfully.
  Bam could integrate to NT user authentication seamlessly, but it seems to me that it's harder and tricky than we thought.
  Any ideas?
  Thank you in advance,
  Rogério

  Hi,
  Windows services running as local user can not do domain user authentication (even when machine is on that domain)
  You will need to change ADC Service user credentials to MYDOMAIN\Administrator. If you just do this only in services, service wont start because the database passwords in config files are encrypted as original user and can not be decrypted by new user.
  See "Working with Post-Install Password Changes and Password Expiration Policies" in the BAM Install Guide (In chapter 3 under Additional Configuration Settings) to change the config files. And also add MYSERVER\Administrator to BAM Administrator group before change.
  The easiest may be to just reinstall as user MYDOMAIN\Administrator.
  Thanks
  Ranga