PHP external authentication issue

Trying to login to AFCS connection using external authentication.
PHP file generates a key correctly and everything seems to fine up until i get to using the key inside flex.
at the login stage i get the following error in the console trace from the library login call
As far as i can tell everything is right... how can i tell what is wrong with the authentication key?
AFCS Beta Build # : 1.1
requestInfo https://connectnow.acrobat.com/{roomname}?exx=eDp7dXRmOF9lbmNvZGUoZGFyaXVzKX06OmRtOmFnZW50ZG06aHR0cHM6Ly9jb25uZWN0bm93LmF jcm9iYXQuY29tL2hpaW50ZXJmYWNlL2RtOjEwMDo4N2NmNWUwMjIzZTVhMmFkYzI2MmY4MDVlNWJmMWVlM2Y4OTJlY 2Qx&mode=xml&x=0.2519759591668844
#THROWING ERROR# bad authentication key

There are a few mistakes in the key. There is some PHP 'code' in it (wrong string expansion ?) and you are using a full URL instead of the room name.
If you want more details send me a private message, but you should check the way you call the get authentication token method.

Similar Messages

Essbase 6.5 External Authentication Issue!! Urgent Please!!

Hi all,
I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
"User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
Its kinda Urgent. so any replies for the same will be appreciated.
Thanks and Regards,
Vikram

Vikram,
Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
Here is the Sample CSS
<spi>
 <provider>
 <msad name="full360">
 <trusted>false</trusted>
 <url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
 <userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
 <password>full@360</password>
 <authType>simple</authType>
 <identityAttribute>dn</identityAttribute>
 <maxSize>1000</maxSize>
 <user>
 <loginAttribute>sAMAccountName</loginAttribute>
 <nameAttribute>dn</nameAttribute>
 </user>
 <group>
 <nameAttribute>cn</nameAttribute>
 <objectclass>
 <entry>group?member</entry>
 </objectclass>
 </group>
 </msad>
Download this toll "http://www.ldapbrowser.com/download.htm"
LDAP browser to get the perfact DN information.
Let me know the status
Ravikant

PHP external authentication

Hi:
Has anyone successfully implemented a php based external
authentication using cocomo in an AIR application? I am having a
hard time following the documentation provided with the cocomo SDK.
This is what I have in place:
An AIR application which lets users inside using a login and
password which they registered for. The login/registration system
is a PHP5/MySQL5 backend. I saw the examples section for External
Authentication and couldn't what the hills was going on there.
I know this may sound very "noob" but can anyone walk me
through or provide a step-by-step tutorial. I am working on an
awesome AIR application and will soon release it for free once I
get this social media part integrated into it. Please help me out
guys.
Thank you very much in advance.
Praneet

Hi Nigel:
Thank you very much for replying to my post. Ok, so this is
what I understood from your post and what I am going to do:
1.) send the username to the PHP script using HTTPService
2.) my PHP script will contain the code attached to this post
3.) in my MXML file this is what I have
quote:
private function init():void {
//roomURL = Application.application.parameters["roomURL"];
//authToken =
Application.application.parameters["authToken"];
//cSession.login();
cocomoService.send();
private function cocomoResult():void {
Alert.show(cocomoService.lastResult.authkey.toString());
authToken = cocomoService.lastResult.authkey.toString();
auth.authenticationKey = authToken;
cSession.login();
]]>
</mx:Script>
<mx:HTTPService id="cocomoService" url="
http://localhost/mycocomo.php"
result="cocomoResult()" method="POST">
<mx:request xmlns="">
<user>some user in my database</user>
<role>100</role>
</mx:request>
</mx:HTTPService>
<rtc:AdobeHSAuthenticator id="auth"/>
<session:ConnectSessionContainer
roomURL="
http://connectnow.acrobat.com/myapp/myroom"
id="cSession"
authenticator="{auth}"
autoLogin="false">
4.) and nothing happens. Although the Alert popup shows me
the reply I got back from my localhost which does seem like an
authToken to me...I can paste the authtoken here if it is ok to..
Thanks in advance.
Praneet

Hyperion Hub external authentication issue

I have Hyperion Hub installed in an Active Directory domain - the users still live in a NT4 domain (we are in the midst of a migration). I have set up trusts between the two domains. We have been utilizing external authentication with Hyperion Reports in this environment for several months. With Hyperion Hub I have setup two authentication providers one for active directory(NTLM) and one for NT4 (NTLM). When adding users in the Hyperion Configuration Console using the provider for NT4, I am only able to pull up users in the "Available Users" list if I have a '*' in the search box. If I try to perform a query of a subset of users (ie. 'g*') it returns nothing. The provider for Active Directory works correctly. Also, with both of the providers I am unable to pull up a full list of available users - even when setting the "Maximum Size" to a large number. Has anyone else come across this??? Greg

I would suggest you set autoLogin="false" on rtc:ConnectSessionContainer and call cSession.login() when you are ready (you got the token and have everything set up).
I suspect the automatic login is getting executed before the AdobeHSAuthenticator has been correctly setup.

OID External Authentication issue

Hi..
I have configured synchronization profile to import users from TDS to OID using DIP but it does not work as change log is not enabled on TDS side.
Now i have configured External Authentication Plugin and i craeted same users in in TDS and also in OID but external authenctication does not work.
Can you please point out if i missing some point or is synchronization profile is must for External Authentication.
Find the product version details -
OID 11.1.1.6
Tivoli Directory Server 6.1
Regards
Santosh
Edited by: user601746 on Jan 8, 2013 1:02 AM

Got the solution.
I used bootstrap loading to create users from TDS to OID then configure external authentication..works fine... :)

External Authentication issue

Hi All
In Shared services I have 'Configured User directories' with the SQl server database. I could connect and get all the users from SQl server . I can see that there are items under User Directories 1.Native Directory 2.SQl server . The serach order is also set. I have restared the Shared services. Now how can i make the use of SQl server users ? .
From Console I have done the "Externalize users " for Essbase server. I have refreshed the security from shared services.
Now I should be able to login in console using the SQl server users .. isnt it ? How can I do that ? How can i use the SQl server users to login into EAS and essbase server? . I also provisioned the SQl server user in Shared services and given the Administrator priveleges to Analytic server.
Please help me.

Hi,
1. As you see the newly added "user directory", It must be added properly. But,to re confirm your configuration of SQL server user directory. Do test it ( there is an option to "test" it ,when you go to 'use directory' within shared services.
2. After you have added, you have told that you have restarted shared services. But ,when you configure a new user directory, I would recommend you to restart shared services along with the other application related services ( like essbase, planning).
3. Now, if you want to use the users of newly configured User directory, search the user from the directory and assign the roles/preveleges . Then try to login into systems( shared services , planning or essbase ...etc).
Revert for further clarity.
Sandeep Reddy Enti
HCC
http://hyperionconsultancy.com/

PHP iTunes U authentication issue

I’ve been working with integrating iTunes U with Moodle. On the Moodle site there is an iTunes U block available for integrating the 2 systems. I’ve been trying to use this and I am able to get to the iTunes U site from Moodle, but I am not being signed into the site as an authenticated user. I can’t seem to figure out why. I was however able to authenticate with a Perl script.
The Moodle block has a Setting section where I fill in all my site specific information such as the Shared Secret. This is definitely working fine as I am able to get to my site without issue. But, the passing of the credentials and identity do not seem to be working because I am not being signed in as an authenticated user.
Right now my Credentials are very basic – formatted just like the sample ones – such as:
Adminstrator@urn:mace:itunesu.com:sites:example.edu (where example.edu is my school’s name).
Can anyone review the files below and shed some light on why I am not getting authenticated?
Thanks.
Itunes_redirect.php
<?php // $Id: itunesu_redirect.php,v 1.1 2008/06/06 19:08:49 mchurch Exp $
require_once('../../config.php');
global $USER, $CFG;
require_once($CFG->dirroot.'/lib/weblib.php');
require_once($CFG->dirroot.'/lib/moodlelib.php');
require_once($CFG->dirroot.'/blocks/itunesu/itunes.php');
if (!isloggedin()) {
print_error('sessionerroruser', '' , $CFG->wwwroot);
$destination = required_param('destination', SITEID, PARAM_INT); // iTunes U destination
$name = fullname($USER);
/* Create instance of the itunes class and initalized instance variables */
$itunes = new itunes();
$itunes->setUser($name, $USER->email, $USER->username, $USER->id);
/* more work needs to be done with determining credentials */
$itunes->setAdminCredential($CFG->blockitunesuadmincred);
$itunes->setInstructorCredential($CFG->blockitunesuinsturctcred);
$itunes->addAdminCredentials();
$itunes->setSiteURL($CFG->blockitunesuurl);
$itunes->setSharedSecret($CFG->blockitunesusharedsecret);
$itunes->setDestination($destination);
$itunes->invokeAction();
?>
Itunes.php file:
<?php
# iTunes Authentication Class
# Written by Aaron Axelsen - [email protected]
# University of Wisconsin - Whitewater
# Edited by Ryan Pharis, [email protected] - Texas Tech University
# Class based on the Apple provided ITunesU.pl
# example script.
# REQUIREMENTS:
# PHP:
# - tested with PHP 5.2
# - make sure hash_hmac() works - <a class="jive-link-external-small" href="http://us2.php.net/manual/en/function.hash-hmac.php">http://us2.php.net/m anual/en/function.hash-hmac.php</a>
# - php curl support
#Example Usage:
<?php
include('itunes.php');
$itunes = new itunes();
// show loading screen while processing request
//include(ROOTURL.'/includes/pages/itunesload.php');
// Set User
$itunes->setUser("Jane Doe", "[email protected]", "jdoe", "42");
// Set Admin Permissions
$itunes->addAdminCredentials();
// Set Instructor Permission
//$itunes->addInstructorCredential('uniquename_fromitunes');
// Set Student Credential
//$itunes->addStudentCredential('uniquename_fromitunes');
// Set Handle
// This will direct login to the specific page
#$itunes->setHandle('');
// iTunes U Auth Debugging
$itunes->setDebug(true);
$itunes->invokeAction();
?>
class itunes {
// Oktech - add
var $authtoken;
var $siteURL;
var $debugSuffix;
var $sharedSecret;
var $administratorCredential;
var $instructorCredential;
var $studentCredential;
var $urlonly;
var $urlcredentials;
var $destination;
// Oktech
* Create iTunes Object
public function __construct() {
$this->setDebug(false);
$this->siteURL = 'https://deimos.apple.com/WebObjects/Core.woa/Browse/example.edu';
$this->directSiteURL = 'https://www.example.edu/cgi-bin/itunesu';
$this->debugSuffix = '/abc1234';
$this->sharedSecret = 'STRINGOFTHIRTYTWOLETTERSORDIGITS';
$this->administratorCredential = 'Administrator@urn:mace:itunesu.com:sites:example.edu';
$this->studentCredential = 'Student@urn:mace:itunesu.com:sites:example.edu';
$this->instructorCredential = 'Instructor@urn:mace:itunesu.com:sites:example.edu';
$this->credentials = array();
// Set domain
$this->setDomain();
// Oktech add
public function getInstructorCredential() {
return $this->instructorCredential;
public function setInstructorCredential($credential) {
$this->instructorCredential = $credential;
public function getStudentCredential() {
return $this->studentCredential;
public function setStudentCredential($credential) {
$this->studentCredential = $credential;
public function getAdminCredential() {
return $this->administratorCredential;
public function setAdminCredential($credential) {
$this->administratorCredential = $credential;
public function getSharedSecret() {
return $this->sharedSecret;
public function setSharedSecret($sharedsecret) {
$this->sharedSecret = $sharedsecret;
public function getAuthToken() {
return $this->authtoken;
public function setAuthToken($authtoken) {
$this->authtoken = $authtoken;
public function getDebugSuffix() {
return $this->directSiteURL;
public function setDebugSuffix($debugsuffix) {
$this->directSiteURL = $debugsuffix;
public function getSiteURL() {
return $this->siteURL;
public function setSiteURL($siteurl) {
$this->siteURL = $siteurl;
* Extract the URL from the return html
* block from the iTunes U server. Replace
* Apple's itmss tag with https
private function extractURL($htmlblock) {
$remainder = '';
$pos = 0;
$result = '';
$remainder = strstr($htmlblock, "_open('i");
$remainder = substr_replace($remainder, '', 0, 7);
$remainder = substr_replace($remainder, 'https', 0, 5);
$pos = strpos($remainder, "');");
$result = substr_replace($remainder, '', $pos);
$this->urlonly = $result;
public function getExtractedURL() {
return $this->urlonly;
* Extract the credentials part from the returned URL from
* the iTunes U server
public function extractURLCredentials($url) {
$result = '';
$pos = 0;
$remainder = strstr($url, "gtcc.edu?");
$remainder = substr_replace($remainder, '', 0, 9);
$this->urlcredentials = $remainder;
public function getExtractedURLCredentials() {
return $this->urlcredentials;
public function setDestination($destination) {
$this->destination = $destination;
public function getDestination() {
return $this->destination;
// Oktech add
* Add's admin credentials for a given user
public function addAdminCredentials() {
$this->addCredentials($this->administratorCredential);
* Add Student Credential for a given course
public function addStudentCredential($unique) {
$this->addCredentials($this->studentCredential.":$unique");
* Add Instructor Credential for a given course
public function addInstructorCredential($unique) {
$this->addCredentials($this->instructorCredential.":$unique");
* Set User Information
public function setUser($name, $email, $netid, $userid) {
$this->name = $name;
$this->email = $email;
$this->netid = $netid;
$this->userid = $userid;
return true;
* Set the Domain
* Takes the siteURL and splits off the destination, hostname and action path.
private function setDomain() {
$tmpArray = split("/",$this->siteURL);
$this->siteDomain = $tmpArray[sizeof($tmpArray)-1];
$this->actionPath = preg_replace("/https:\/\/(.+?)\/.*/",'$1',$this->siteURL);
$pattern = "/https:\/\/".$this->actionPath."(.*)/";
$this->hostName = preg_replace($pattern,'$1',$this->siteURL);
$this->destination = $this->siteDomain;
return true;
* Set the Handle
* Takes the handle as input and forms the get upload url string
* This is needed for using the API to upload files directly to iTunes U
public function setHandle($handleIn) {
$this->handle = $handleIn;
$this->getUploadUrl = "http://deimos.apple.com/WebObjects/Core.woa/API/GetUploadURL/".$this->siteDoma in.'.'.$this->handle;
return true;
* Get Identity String
* Combine user identity information into an appropriately formatted string.
* take the arguments passed into the function copy them to variables
private function getIdentityString() {
# wrap the elements into the required delimiters.
return sprintf('"%s" <%s> (%s) [%s]', $this->name, $this->email, $this->netid, $this->userid);
* Add Credentials to Array
* Allows to push multiple credientials for a user onto the array
public function addCredentials($credentials) {
array_push($this->credentials,$credentials);
return true;
* Get Credentials String
* this is equivalent to join(';', @_); this function is present
* for consistency with the Java example.
* concatenates all the passed in credentials into a string
* with a semicolon delimiting the credentials in the string.
private function getCredentialsString() {
#make sure that at least one credential is passed in
if (sizeof($this->credentials) < 1)
return false;
return implode(";",$this->credentials);
private function getAuthorizationToken() {
# Create a buffer with which to generate the authorization token.
$buffer = "";
# create the POST Content and sign it
$buffer .= "credentials=" . urlencode($this->getCredentialsString());
$buffer .= "&identity=" . urlencode($this->identity);
$buffer .= "&time=" . urlencode(mktime());
# returns a signed message that is sent to the server
$signature = hash_hmac('SHA256', $buffer, $this->sharedSecret);
# append the signature to the POST content
return sprintf("%s&signature=%s", $buffer, $signature);
* Invoke Action
* Send a request to iTunes U and record the response.
* Net:HTTPS is used to get better control of the encoding of the POST data
* as HTTP::Request::Common does not encode parentheses and Java's URLEncoder
* does.
public function invokeAction() {
$this->identity = $this->getIdentityString();
$this->token = $this->getAuthorizationToken();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->generateURL() . '?' . $this->token);
//curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// Oktech - change
$this->authtoken = curl_exec($ch);
curl_close($ch);
/* Start a new sesstion and send a request for specific content with the appropriate credentials */
$ch = curl_init();
$this->extractURL($this->authtoken);
$this->extractURLCredentials($this->urlonly);
curl_setopt($ch, CURLOPT_URL, $this->siteURL . '.' . $this->destination . '?' . $this->urlcredentials);
//curl_setopt($ch, CURLOPT_POST, 1);
curl_exec($ch);
curl_close($ch);
// Oktech
* Auth and Upload File to iTunes U
* This method is said to not be as heavily tested by apple, so you may have
* unexpected results.
* $fileIn - full system path to the file you desire to upload
public function uploadFile($fileIn) {
$this->identity = $this->getIdentityString();
$this->token = $this->getAuthorizationToken();
// Escape the filename
$f = escapeshellcmd($fileIn);
// Contact Apple and Get the Upload URL
$upUrl = curl_init($this->getUploadUrl.'?'.$this->token);
curl_setopt($upUrl, CURLOPT_RETURNTRANSFER, true);
$uploadURL = curl_exec($upUrl);
$error = curl_error($upUrl);
$http_code = curl_getinfo($upUrl ,CURLINFOHTTPCODE);
curl_close($upUrl);
print $http_code;
print "
$uploadURL";
if ($error) {
print "
$error";
# Currently not working using php/curl functions. For now, we are just going to echo a system command .. see below
#// Push out the designated file to iTunes U
#// Build Post Fields
#$postfields = array("file" => "@$fileIn");
#$pushUrl = curl_init($uploadURL);
#curl_setopt($pushUrl, CURLOPT_FAILONERROR, 1);
#curl_setopt($pushUrl, CURLOPT_FOLLOWLOCATION, 1);// allow redirects
#curl_setopt($pushUrl, CURLOPT_VERBOSE, 1);
#curl_setopt($pushUrl, CURLOPT_RETURNTRANSFER, true);
#curl_setopt($pushUrl, CURLOPT_POST, true);
#curl_setopt($pushUrl, CURLOPT_POSTFILEDS, $postfields);
#$output = curl_exec($pushUrl);
#$error = curl_error($pushUrl);
#$http_code = curl_getinfo($pushUrl, CURLINFOHTTPCODE);
#curl_close($pushUrl);
#print "
#print $http_code;
#print "
$output";
#if ($error) {
# print "
$error";
// Set the php time limit higher so it doesnt time out.
settimelimit(1200);
// System command to initiate curl and upload the file. (Temp until I figure out the php curl commands to do it)
$command = "curl -S -F file=@$f $uploadURL";
echo "
echo $command;
exec($command, $result, $error);
if ($error) {
echo "I'm busted";
} else {
print_r($result);
echo $command;
* Set Debugging
* Enable/Disable debugging of iTunes U Authentication
public function setDebug($bool) {
if ($bool) {
$this->debug = true;
} else {
$this->debug = false;
return true;
* Generate Site URL
* Append debug suffix to end of url if debugging is enabled
private function generateURL() {
if ($this->debug) {
return $this->siteURL.$this->debugSuffix;
} elseif ($this->isHandleSet()) {
return $this->directSiteURL.'.'.$this->handle;
} else {
return $this->siteURL;
* Check to see if the handle is set
private function isHandleSet() {
if (isset($this->handle))
return true;
else
return false;
?>

Janet ... hmmm ... I suppose it could also be "Jane T. Smith" ... ah well, anywho,
One thing to understand when it comes to credentialling is that, even if your transfer CGI (Moodle block) doesn't work ... if you redirect someone to your iTunes U site, that person will -always- carry two credentials ... "Unauthenticated" and "All". You do not have to assign the credentials ... they are automatic.
Put it this way, if I direct you to my site:
https://deimos.apple.com/WebObjects/Core.woa/Browse/uic.edu
if you click on that link, authentication or no, Apple will give you the "Unauthenticated" and "All" credentials. Anywhere on my site where those creds are good, you'll have access.
Hmmm ... maybe I can rephrase it this way ... there are four credentials that are a part of every site ...
All ... everyone who accesses your site gets this cred ... everyone.
Authenticated ... if you pass a valid iTunes U URL request for a user, he/she will get this cred.
Unauthenticated ... this cred is given whenever someone gets to your site -without- a tokenized (credentials, identity, time, signature) URL request. For example, if someone uses your site base URL without any modification.
Administrator ... this cred has total access to a site.
So if you access your site using your admin cred, you'll actually carry three creds ... "Administrator" (of course), but also "All" and "Authenticated".
So why this long discussion of creds? Well, if you're getting in with the "Unauthenticated" credential, it's a sure sign your transfer CGI (Moodle thingy) isn't working ... at all. It's not that you can't pass the admin cred ... or identity info ... you're not passing any info. And because you're not passing any info, iTunes U does the default thing ... give you "All" and "Unauthenticated" access.

AD External Authentication Plug-In verification issue

We are working on a Proof of Concept instance to integrate MS AD with OID for the first time for E-Biz 11i.
1) I completed the bulk load of all the existing users from AD to OID successfully
2) completed enabling the syncrhonization profile
3) Ran the txkrun.pl successfully
4) However i wanted to check the External authentication plug-in and i get the below issue.
How to debug ldapcompare ? Where is the logfile for ldapcompare ?
ldapcompare -h OID_Host -p 389 -D "cn=orcladmin" -w ******* -b "cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us" -a userPassword -v abcdefgh
The value abcedefgh is not contained in the attribute userPassword in DN cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us.
An ldapbind on the same AD server is successful, but ldapcompare is failing.

I get invalid credentials. Though the network password is correct. I feel its somewhere i messed up the 3rd party plug-in configuration. Is there a method to get debug information for ldapcompare command ?
From metalink NOTE : 277382.1
"When using the above command, ldapcompare binds to OID using the OID admin user (typically "cn=orclAdmin") and password. Then it provides the AD username and requests that the value supplied as AD-USER-PASSWORD be compared to whatever is stored in AD username's userPassword attribute. Because OID does not store a value in its own user entries/userPassword attributes for AD-synchronized entries, this ldapcompare call will cause OID to invoke the plug-in and verify the userPassword value in AD instead.
If the plug-in works, the ldapcompare should return a message saying that the given password is contained in the userpassword attribute, e.g.
"

External Authentication failed via PHP script

I'm not a PHP wiz - in fact I am not a backend coder so I am
somewhat struggeling with the sample scripts - I still hope for a
CF sample...
I'm trying to run and log in to AFCS via the commandline
(Terminal). I'm not sure what I'm doing wrong - here what I am
passing:
php -f /Applications/MAMP/htdocs/afcs.php args --debug
--host=http://connectnow.acrobat.com,fcguru,my_login,my_pass
The username and password I pass are correct. However I get
this response:
Error: exception 'AFCSError' with message '<response
status="error">
<error code="AUTH_FAILED">
<msg>Authorization Failed</msg>
</error>
</response>
' in /Applications/MAMP/htdocs/afcs.php:86
Really struggeling with this. Even once I get this working
from the commandline I do not know how to call this from a script
instead. I use CF on the backend, not PHP.
Regards,
Stefan

I would say that your command is syntactically correct, but
semantically incorrect :)
Two problems:
- there is no "args" parameter in afcs.php
- when you use php -f file.php you have to append a -- after
the php file to tell the interpreter to stop parsing parameters
because they belong to the script
So, try this:
php -f /Applications/MAMP/htdocs/afcs.php -- --debug
--host=http://connectnow.acrobat.com fcguru my_login my_pass
or this:
php /Applications/MAMP/htdocs/afcs.php --debug
--host=http://connectnow.acrobat.com fcguru my_login my_pass
Also, there is an example of a php web application that uses
external authentication in the examples folder
(ExternalAuthentication/php). Just drop the php folder somewhere in
your webserver and try it out.

User authentication issues when auth by external radius server

We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
No site added as it's an internal IP address....

We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
No site added as it's an internal IP address....

External Authentication Half Working

I'm having a strange issue with external authentication and PHP. I've got the PHP code set up correctly (I believe) and I pass the authentication token to the Flex application via flashvars and when the application loads the roster pod shows everyone logged into the room including the user just added. But I can't interact with any other components like the whiteboard and the simplechat.
Has anyone ever seen that? Any idea what might be going on? The AuthenticationSuccess event seems to fire correctly but I still can't interact with anything.
=Ryan
[email protected]

I am having a very similar problem, although I am not authenticating externally first. I am able to authenticate inside a flex 4 b2 app and get a list of people in the chat room, but whenever I post anything, I get null exceptions all over the place in the AFCS rtc package.
On another note, does anyone know if there is an open repo I can pull recent updates from for AFCS?

External Authentication won't correctly set USER name or Role

I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
Here is a little of the java on the back end (I removed my shared secret):
public String getRoomToken(String roomID, String userName, String userID, int userRole) {
 try {
 Session session = am.getSession(roomID);
 return session.getAuthenticationToken(..., "Bob", "TestID", 100);
 //return session.getAuthenticationToken(..., userName, userID, userRole);
 } catch (Exception e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 return null;
getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
/** * get an external authentication token */
public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
 if (role < UserRole.NONE || role > UserRole.OWNER)
 throw new Error("invalid-role");
 String token = "x:" + name + "::" + this.account
 + ":" + id + ":" + this.room + ":"+ Integer.toString(role);
 String signed = token + ":" + sign(accountSecret, token);
 // unencoded
 //String ext = "ext=" + signed;
 // encoded
 String ext = "exx=" + Utils.base64(signed);
 return ext;
This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly. Any help would be great, this has caused me a great deal of grief for days now...
Thanks guys...
Ves

Well this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
to
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
and adding a preinitialize function of:
protected function preInit():void
 templateID = Application.application.parameters['room'];
 token = Application.application.parameters['token'];
oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
Ves

External Authentication

Hi,
We need to be able to support external authentication to Oracle 8i. The system we develop is based on a J2EE architecture framework and is being deployed on the BEA Weblogic 8 under SUN Solaris. Currently we are using Oracle Type 4 thin driver. The database is already configured to support OPS$ accounts but we are having problems implementing it in Java. Any suggestions or recommendations? Does somebody have experience implementing it?
Thanks in advance,
Mike

Did you tried copying the dll file to the places where neededand add the path to the dll file in your system environmentvariables. I had these issues and i copied the dll file whereever the errormessage was looking for it and it worked absolutely fine. Hope this helps !

External Authentication Solution?

I am looking for an external authentication solution for Web AS (ABAP Specifically but the whole AS would be preferable)
i.e. Our External Authetication system sits in front of SAP that does Auth then passes username in a HTTP Header to SAP..
So far we have these previous solutions
1. SAP WAS Java -> Using Header Authenticaion Module
2. SAP Netweaver -> Using ITS Standalone configured for PAS and SNC
So For SAP Web AS We need to do this for the ABAP side of things and I from what I can gather from the documentation the only mechanism to do this is to either :
a) use ITS Standalone in front of the SAP Web AS ABAP or,
b) use the current J2EE solution using Header Authentication Module.???
Now we cannot install ITS Standalone so that is out it is then up to the J2ee solution.
My question is : The documentation refers to Integrated Java -> Does this mean that the Java is installed by default? or does it have to be installed separately?
I have installed the Web AS Preview Installation (ABAP) 2004s but I've put it in this forum as it's more general type concept question
Ideally we'd like to have an ICM SSO solution so that we just deal with one point but I don't know if this is possible?

Raff,
Thank you for your reply. We checked with our server configuration and it does appear to have OpenSSL enabled.
extension=openssl.so
Apache Version
Apache/2.2.11 (Unix) PHP/5.2.9 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.7m mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.7
Other than the original apache error log message, we are not getting any error messages in the php error log to indicate a problem. I am making the call from an https://URL with a valid certificate. I get the same error message as before.

External authentication using Headervariable

Hi SAP Experts
We have configured External authentication for WEM using Headervariable.We are using BI Java 7.0
External authentication is working fine using Headervariable Login module for URL http://<WEb Server hostname>/irj which redirect to http://<J2EE hostname>:<port #>/irj
As you all know that we also use http://<J2EE hostname>:<port #> for Administation point of view where many options available like user management, SLD, Webdynpro, NetWeaver Administation etc.We have not configured this URL for External Authentication and also do not want to configure but when tyring to access any administration option on this, portal prompts default logon page and after entering Portal UserID/Password we get message like " No Loginmodules configured for Header"
I do not know why system display this message
Please help me if anyone has experience to resolve this issue, as we want to use URL http://<J2EE hostname:<port #>, which should prompts Portal Logon screen and after entering Portal userid/password we should access the administration screen without afftecting our External Authentication configuration for URL http://<WEb Server host>/irj
Thanks in Advance
Thanks with Regards
Deelip Kumar

Hi Deelip,
my earlier post referred to an additional authscheme that you may have created. If you have done so, please remove it. If you have checked this, there still is a predelivered authscheme called header, wich references a login stack called header. This login stack template does not exist as a default.
In this case, you may have assigned this authscheme (header) to some component, like an iview. How this works is explained in the docs <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm">here</a> and<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/a334ed5bbfd5488b8cdd67b2c594a9/frameset.htm">here</a> for example.
If you have done so, this reference to the authscheme header may trigger the lookup of the login stack template called header, which does not exist and thus leads to the error.
For detailed error analysis, I would recommend to search the security log and the portal logs for indications where the source of this error might be.
Regards,
Patrick

PHP external authentication issue

Similar Messages

Maybe you are looking for