Portal 7 Multi Domain authentication (AD)/ISA 2006 KCD SSO
I am new to SAP portal etc. I have read posts and want some more clarification and pointers.
Basically want to achieve SSO.
We have Portal 7 on Red Had Linux in a thid party data center with SAP ECC/BI etc at backend.
Active directory is windows 2003 forest which has three domains suppose
domain A (for internal employees),
domain B (for internal employees),
and domain C (for suppliers).
assume all domains have bidirectional windows trust.
Scenario 1
We want to authenticate both domain A and domain B user to Portal.
a) Can we do this by using integrated windows authentication and SPNEGO.
b) Does SPNEGO works with multidomain scenario.
c) Do I have to point to Global Catalog or separate KDC for each domain in portal.
d) Does the windows trust matter between domain A and domain B for SPNEGO to work. To me it seems that the trust shoudn't matter if we SPNEGO is using separate KDC for each domain. If going to Global catalog than it might matter.
d) All SPNEGO configuration are on Portal regardless of underlying of OS. Mine is red hat linux.
Scenario 2
We want to bring domain C to access portal also. Since domain C is for suppliers we will authenticate them using Basic authentication over SSL on ISA 2006 reverse proxy and than use Kerberos constrained delegation (KCD) to pass them to portal. so to achieve SSO.
1) if portal is using SPNEGO for this domain C than will it work.
2) I have to check whether ISA 2006 can do multi domain KCD if I change my design where i push all domain A, Domain B and domain C user to go through ISA server reverse proxy before going to portal.
Thanks for helping out.
triwhdxk
Moved by moderator to the correct forum
Edited by: Hilit Fisch on May 25, 2009 1:55 PM
Hi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM
Similar Messages
-
I've got a unique setup I'm trying to get set up with regards to 802.1x and have ran into some issues. I've got Avaya phones that I need to authenticate onto the voice vlan that they are getting via LLDP. But I'm only using 802.1x to keep things off the voice VLAN which is in a VRF. The PCs that will either be connected to the back of the phone or plugged directly into the switch cannot be configured for 802.1x as these PCs are not owned by the department.
My idea was to run multi-domain as seems to be the suggestion for phone deployments and then put anything that fails authentication into the Data VLAN (30) using guest-vlan as well as authorizing them to Vlan 30 when authentication fails. It seems like authentication fail Vlan and guest Vlan cannot be used in multi-domain mode though, so I'm out of ideas and the port is not working properly. Here is my current config that is not working as it's not putting the PC into Vlan 30 when authentication fails. Vlan 40 is the voice Vlan. Vlan 30 is the data Vlan.
interface GigabitEthernet1/0/1
description Test 802.1x port
switchport mode access
switchport voice vlan 40
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event no-response action authorize vlan 30
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout server-timeout 15
dot1x timeout supp-timeout 2
spanning-tree portfast
Any ideas on how I can go about acheiving this?
Thanks,
BrianWell, you can use multiple-authentication mode.
Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring authentication of each connected client. For non-802.1x devices, you can use MAC authentication bypass or web authentication as the fallback method for individual host authentications to authenticate different hosts through by different methods on a single port.
Multiple-authentication mode is limited to eight authentications (hosts) per port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN, depending on the VSAs received from the authentication server.
VERY IMPORTANT: When a port is in multiple-authentication mode, all the VLAN assignment features, including the RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass, and the Authentication Failed VLAN do not activate.
This is the configuration commands:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
802.1x multi-domain 3560catalyst nortel ip phone ntdu92
Hello everyone!
I have 3560 catalyst ios 12.2(55)SE5
I need to authorize PC and IP phone on this port. 212 data vlan 500 voice vlan, vlan 111 - Unauthorized VLAN with 256 kbit/sec INTERNET without any local resourses. IP phone authorizes by mab.
#sh mac address-table interface fastEthernet 0/2
212 001a.4b7b.0394 STATIC Fa0/2
500 001b.bafb.7c1c STATIC Drop
#sh running-config interface fastEthernet 0/2
interface FastEthernet0/2
switchport access vlan 212
switchport mode access
switchport voice vlan 500
authentication event fail action authorize vlan 111
authentication event no-response action authorize vlan 111
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 3
dot1x max-reauth-req 3
storm-control broadcast level 7.00 3.00
storm-control multicast level 15.00 10.00
storm-control action shutdown
no cdp enable
spanning-tree portfast
spanning-tree guard root
end
#sh logging
Jul 29 11:11:03: %DOT1X-5-FAIL: Authentication failed for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-START: Starting 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %MAB-5-SUCCESS: Authentication successful for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001b.bafb.7c1c) is seen.AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-MACREPLACE: MAC address (001a.4b7b.0394) on Interface FastEthernet0/2 is replaced by MAC (001b.bafb.7c1c) AuditSessionID 0A32FF150000005F25C42541
Jul 29 11:11:04: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:06: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %DOT1X-5-SUCCESS: Authentication successful for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:06: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001a.4b7b.0394) is seen.AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-MACREPLACE: MAC address (001b.bafb.7c1c) on Interface FastEthernet0/2 is replaced by MAC (001a.4b7b.0394) AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:07: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
What is necessary for collaboration PC+IP phone at the same time.
Thanks for your help.Good afternoon. Thanks for Your advice. The problem was the following: forgot to add the command
aaa authorization network default group radius
Now everything is working.
Fa0/2 001b.bafb.7c1c mab VOICE Authz Success 0A32FF15000000B6500A0895
Fa0/2 001a.4b7b.0394 dot1x DATA Authz Success 0A32FF15000000C353ADA437
Thanks to all. -
ISE Wired guest portal redirect even after authentication
Hi
I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
Here is what I see on the interface
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: a0b3.ccca.2ab1
IP Address: 10.1.3.16
User-Name: A0-B3-CC-CA-2A-B1
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F000001571E52779F
Acct Session ID: 0x00000309
Handle: 0xE6000158
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Here is the ACL
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (1344 matches)
20 deny ip any host 172.20.5.12 (8122 matches)
30 deny ip any host 172.20.5.14
40 permit tcp any any eq www (3124 matches)
50 permit tcp any any eq 443 (202927 matches)
60 permit tcp any any eq 8080 (114 matches)
70 permit ip any any (8056 matches)Hi Mohannad,
Thanks for your response.
Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
We need to find out why the next Auth policy is not hitting once user is authenticated.
Here is the port configuration and the authen status of the port.
ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
Building configuration...
Current configuration : 427 bytes
interface GigabitEthernet4/0/19
switchport access vlan 103
switchport mode access
switchport voice vlan 135
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
ABQT-3FLR-ACC-01#
Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
ABQT-3FLR-ACC-01#
ABQT-3FLR-ACC-01#sh atuh
ABQT-3FLR-ACC-01#sh atu
ABQT-3FLR-ACC-01#sh authe
ABQT-3FLR-ACC-01#sh authentication se
ABQT-3FLR-ACC-01#sh authentication sessions in
ABQT-3FLR-ACC-01#sh authentication sessions interface gi
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: 0015.c5b4.fd4a
IP Address: 10.1.3.23
User-Name: 00-15-C5-B4-FD-4A
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F0000018A32B4D906
Acct Session ID: 0x00000394
Handle: 0x3E00018B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success -
Multi-Domain LDAP UME configuration
Hello
We have EP 7.0 installed and want to connect the UME to our Corporate
LDAP (MSADS) as data source.
Our ADS is as follows:
domain.pt u2013 This is our top level domain. Here we have our main users.
Gs.domain.pt u2013 This is a child domain of ren.pt. Here are some special
users that cannot be moved to domain.pt level (because of this we have to
use multi-domain configuration)
According to some documents Step 2 of Note 762419 - Multi-Domain Logon
Using Microsoft Active Directory this configuration as to be done
according to a Multiple-Domain UME LDAP Configuration.
Following is is my configuration of LDAP access:
I have set the u201CUME LDAP Datau201D in Config Tool to point to
the u201CdataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xmlu201D configuration file that has been previously change by me following previous documents. The xml is is the end of the message
Also in the u201CUME LDAP Datau201D (Directory Server) I have defined the following settings:
Server Name: dc01.domain.pt (This is the DC of domain.pt)
Server port: 389
User: j2ee-pp3 @domain.pt
Pass: ******* (ok on all configuration tests and authentication)
SSL: NO.
User Path: DC=domain,DC=pt
Group Path: DC=domain,DC=pt
Checked the u201CFlat User Group Hierarchyu201D.
Checked the u201CUse UME Unique id with unique LDAP Attributeu201D.
At u201CAdditional LDAP Propertiesu201D I have set the properties of
ume.ldap.unique_user_attribute(global) and
ume.ldap.unique_uacc_attribute(global) to userprincipalname. This was
done according to the Multi-Domain configuration.
Also ume.ldap.access.multidomain.enabled=true was set the property
sheet of the UME service. After this all checks are ok including in
User Administration in Portal.
Conclusion: We have no problem with SSO and search capabilities
at u201Cdomain.ptu201D level. All users of this domain are able to access the
portal with SSO.
Nevertheless no user from u201Cgs.domain.ptu201D is able to logon. Additionally,
using User Admninistration in Portal with option u201CAll Data Sourcesu201D
returns no results when searching for users from this child domain. It
seems the the configuration file does not recognize gs.domain.pt.
Is it possible that our xml file is incorrectly adapted? Is there any
missing or wrong configuration for multi-domain LDAP access? Please
advice.
Thanks in advance
dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="j_user"/>
<attribute name="j_password"/>
<attribute name="userid"/>
<attribute name="logonalias"/>
</attributes>
</nameSpace>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email" populateInitially="true"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="krb5principalname"/>
<attribute name="kpnprefix"/>
<attribute name="dn"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</responsibleFor>
<attributeMapping>
<principals>
<principal type="account">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="domain_j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
<attribute name="logonalias">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="null"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="krb5principalname">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</principals>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
<ume.ldap.access.multidomain.enabled>true</ume.ldap.access.multidomain.enabled>
<ume.ldap.access.extended_search_size>200</ume.ldap.access.extended_search_size>
<ume.ldap.access.domain_mapping>
[DOMAIN_PT;DC=domain,DC=pt]
[GS_DOMAIN_PT;DC=gs,DC=domain,DC=pt]
[gs;DC=DC=gs,DC=domain,DC=pt]
[domain;DC=pt]
</ume.ldap.access.domain_mapping>
</privateSection>
</dataSource>
</dataSources>
Edited by: Joaquim Pereira on Feb 7, 2009 1:34 PMHi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM -
ISA 2006 publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation
Hi,
I have two Exchange 2010 Sp1 CAS with Windows Network Loadbalancing. I set up an alternate Serviceaccount and mapped the http,ExchangeMDB,PRF and ExchangeAB SPNs.
Then i published the Exchange Services via ISA 2006. OWA is working using Internet -> via NTLM -> ISA(webmail.domain.com) -> via KCD -> CAS-Array(ex2010.domain.com)
I tried the same with Outlook Anywhere (RPC over HTTP) without success.
Authentication to the ISA via NTLM works fine, but i think the isa server cannot delegate the Credentials successfully to the CAS-Server.
The ISA Log looks like:
Allowed Connection ISA 24.11.2011 15:50:40
Log type: Web Proxy (Reverse)
Status: 403 Forbidden
Rule: Exchange 2010 RPC
Source: Internal (172.16.251.33)
Destination: (172.18.10.182:443)
Request: RPC_OUT_DATA
http://webmail.domain.com/rpc/rpcproxy.dll?ex2010.domain.com:6001
Filter information: Req ID: 108b89d8; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
So i always get a 403 Forbidden from the CAS.
I the IIS logfile from the cas server i see this entry:
2011-11-24 15:51:37 172.18.10.182 RPC_OUT_DATA /rpc/rpcproxy.dll ex2010.domain.com:6001 443 - <ISA IP> MSRPC 401 1 2148074254 203
I use the same Listener for OWA and Outlook Anywhere. Authentication Methods are Basic and Integrated. I forward the request to a webfarm which exists of the two physical CAS. Internal Site Name is set to the NLB name ex2010.domain.com, SPN is set to http/ex2010.domain.com
Thanks for your supportHi, i ran into the same Problem.
the steps above solved mine too (Creating a custom AppPool which runs under LocalSystem).
I wonder why they included only the Script: convertoabtovdir.ps1
http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/dc24ccd3-378a-47cc-bbbf-48236f8fe5b0
Ist this a supported configuration (changing AppPool of RPC)? -
How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem
Hi
I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to
machines with internal certificates only.
I have the following infrastructure setup:
ISA 2006 SP1 - Server 2003 R2 / SP2
-Allows UDP 4500/500 and TCP 443
-Hosted on VMWare ESXi 5
Test laptop - Windows 7
External Firewall static NAT's from a public IP to ISA server and allows the following:
UDP 4500/500
Protocol 50/51
IPSEC policy configured on the ISA server:
-IP Filter List = DMZ IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
IPSEC policy configured on the Windows 7 Test Laptop:
-IP Filter List = External (public) IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
So far the following works:
I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server.
If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server. I note the following:
-HTTPS is denied with no rule (an allow rule is present)
-Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
-The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
-The event log shows main mode and quick mode as successful.
-The IPSEC monitor shows SA's for quick mode and main mode.
If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received. I guess this is part of AH. I have tried the following:
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
-Disable the following in the ISA server registry and reboot:
RSS
SecurityFilters
TCPA
TCPChimney
-Disable Chimney Offload via Netsh command
-Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
-Switching to an E1000 NIC and disabling all offload options and rebooting
-Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
-Run a wireshark trace - cannot see anything useful
-Checked oackley log - cannot see anything useful
I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
I would really appreciate if anyone has any suggestions?
Many Thanks
StevenHi,
Glad to hear that. I'll mark it as answer. Thank you.
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
OAM multi-level authentication with an OIF SP
As background, we have 16 Shibboleth IdPs in a federation and users need to access a couple of applications that are protected by OAM (10.1.4.3) using OIF (11g) as the SP. We have a requirement to force re-authentication for a set of URLs protected by OAM. So, if a user accesses application, let's call it LOW, and then attempts to access application called HIGH, we need to reauthenticate the user at the IdP. In OAM, this is the classic use case for multi-level authentication, I think.
Since OIF acts as a gateway, all of the applications "behind" OIF/OAM use the same authentication scheme in OAM, so I can't use OAM's multi-level authentication as we are configured now. I was told by an OIF person at OracleWorld that a possible approach would be to configure a custom authentication engine in OIF that is basically a copy of the OAM authentication engine and set that up at a different authentication level in OAM. However, looking through the documentation, it looks like the authentication engines are only used when OIF is used as an IdP. Perhaps the person meant that I need to set up a custom SP Integration Module? Or am I misunderstanding the role of the auth engine?
The OAM SP Integration Module lets me specify Authentication Schemes and Authentication Scheme Levels. We currently are set up to use OIF-unspecified with a level of 1. Since we want to re-authenticate, however, we really want to use the same authentication scheme but at a different authentication level. Is there a way to achieve that? Can I set up a second OAM SP Integration Module with a different policy domain and set the OIF-unspecified authentication scheme to level 2 on that one? How would I go about doing that -- as a custom SP engine?
Has anyone done anything similar or found a way to force reauthentication using the same authenticator for some applications behind an OIF SP but not others?
Thanks for any help you can provide.
--MikeHi,
Thanks for the reply.
“In fact there is not one use case. There are 5 use cases for which we need to provide Second Level of Authentication functionality. And that also with the flexibility of switching this on/off.
Now as per my understanding we should achieve this through the following flow :
Store one extra attribute in OID per user per service. And that attribute will store the enable/disable information for that particular service and for that particular user.
Now ObAuthentication Scheme class of Access Manager API needs to be used for enabling or disabling the Level 2 authentication scheme as per that attribute.
Is this flow possible.”
Cheers,
Sunny -
Bypassing OAAM multi-factor authentication
Hello
In our project we found an interesting case where it is possible to bypass multi-factor authentication provided by OAM and OAAM. It can also work for a custom multi-factor login application which is integrated with OAM using the Access SDK.
If you integrate OAM and OAAM as officially described in
http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
you basically have one form authentication scheme which redirects a user to OAAM when trying to access a protected resource. The user enters username/password in OAAM which is send to OAM using the AccessSDK and validated by the authentiction scheme in OAM.
From the point of view of OAM the authentication is completed and OAAM receives the ObSSOCookie. OAAM does not return the cookie to the user but continues with additional authencation steps such as secret questions, fingerprints, etc. If all goes well OAAM returns the ObSSOCooki to the user and he is able to access the protected resource.
The bypass:
OAM has a nice feature (I call it security bug) which allows a user to add authentication credentials as parameters to the URL when accessing a resource. E.g. a user accessing a protected resource such as app.domain.com can simply enter https://app.domain.com?username=xxx&password=xxx and is automatically authenticated provided the username/password parameters and values are correct. By automatically authenticated I mean that there is no redirection to the login form. The authentication credentials are passed by OAM internally to the authentication scheme. There is no post action being sent and intercepted.
Why is this bad? If you are using OAAM as a multi-factor login application passing username/password as URL parameters will not involve OAAM at all. From the point of view of OAM a user is authenticated and there is no need to challenge him with OAAM. No matter what additional authentication factors are configured for OAAM, the authentication process is reduced to one factor (username/passwrod).
Any thoughts on this. I am mostly interested in ideas and approaches to fix this issue.
Regards, DonatHello Steve
Bypassing OAAM works with the latest 10g release of OAAM and OAM and the architecture described in the Oracle documentation
http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
Any toughts on this issue?
Regards,
Donat -
Hi,
We want something better to replace the ISA 2006, TGM optional, but it will be over soon support.
I would like to ask good tips, which will be good for at least five years.
Network environment: Windows Server 2012 domain controller, Exchange 2013, IBM Maximo, 15 users and ~30 PC and devices, Windows 7 OS and some Windows XP
Thanks.
by, Mishpatim
MishpatimHi.
i believe you are currently using ISA as a reverse proxy service for owa publishing.
TMG or UAG can be a good option. it will be supported till 2020.
otherwise. you can invest in a hardware load balancer like F5 or kemp.
hope this helps.
Eiba -
Multi-Factor Authentication Server and OWA
Hello,
I am trying to implement a two factor authentication solutions for our OWA service using Multi-Factor Authentication server.
What is the best way to accomplish that, Assuming I would like that the only service will be affected by the MultiFactor authentication server is the OWA?
(without affecting the whole IIS service such as ActiveSync etc.?)At present, the MFA Server user enrollment is completely separate from Azure AD. If you want to use the mobile app with the MFA Server, you need to install the User Portal so that users can generate activation codes and set their MFA method to mobile app.
Also, for users to activate their mobile apps, you have to install the Mobile App Web Service, which communicates with the MFA Server via the Web Service SDK to validate the activation code generated in the User Portal. Here are links for installing the User
Portal and Mobile App Web Service.
https://msdn.microsoft.com/en-us/library/azure/dn394290.aspx
https://msdn.microsoft.com/en-us/library/azure/dn394277.aspx?f=255&MSPPError=-2147217396 -
ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem
Hi
I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
The clients have an IPSEC policy pushed to them via GPO. The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why. I cant get the Oakley log to work and I cant see any traffic on the ISA.
I am wondering if I need to publish the CRL's externally? Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
public certificates).
I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
Any advice would be appreciated.
StevenHi,
Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
In addition,
While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
Please also make sure that you have selected the
External interface for the web listener to listen on.
Besides, the link below would be helpful to you:
OWA publishing using Kerberos Constrained Delegation
method for authentication delegation
Best regards,
Susie -
Hi,
Has anyone had any luck getting through to Outlook Web Access through BIS with an ISA server in the way?
We are running Exchange 2007 with ISA 2006 out front providing OWA access, we can get any Windows Mobile phone through but the blackberrys fail. Other than shelling out £28 a month to get BES with BPS is there anything we can do?
Thanks for the help.After much headscratching, I had some success with the following:
1) On the Exchange Client Access Server, set EWS to accept basic authentication
set-webservicesvirtualdirectory “servername\EWS (Default Web Site)” –basicauthentication $true
2) On the ISA, Create an Exchange Client Access rule to publish Outlook Web Access. Use a listener using Basic Authentication. Use an Authentication Delegation of Basic. Add the path /EWS/* to the paths tab.
3) Configure the BIS account to point to https://outlookwebaccessexternalurl
The important thing here is not to include /owa or /exchange because that seems to stop it working
I'd be interested if this works for anyone else.
Cheers,
Harvey -
We are getting rid of ISA 2006 and not replacing it.
Does it need to be manually uninstalled from each server like when removing a domain controller or Exchange server or can the ISA servers just be shut down and machine accounts deleted from AD?Hi,
For the ISA uninstallation, please check the article below. Some configuration information will be deleted when you uninstall the ISA.
ISA Server SE Uninstalling ISA Server Software
https://technet.microsoft.com/en-us/library/bb794728.aspx
Best Regards,
Joyce
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Maybe you are looking for
-
To sync or not to sync, that is the question
Hi all, I've set our subscribers to use the variable DEST_VOLUME and have generally set that variable to be DATA:\ accross the country. All distributions, however, distribute to %DEST_VOLUME%\Replicated Files\<distribution> The Replicated Files direc
-
Regarding Sales order creation using Material with Parent-child
hey guys i cannot create sales order for parent child material using Below bapi(BAPI_....ORDERDAT2). Could you please tell me if any special parameter should be set with this bapi to create the order for PARENT MATERIAL AND child materials. i am able
-
Generate excel sheet list file through program
Hi, I have to generate list in excel which is having column with fixed length. I m using classical report for output then in output i m generating excel file . but that file is not with fixed column length. how ALV will be useful in this case Please
-
Hi there! We have an head office account. When we viewed it in FBL5N with the following paramters: Customer, Company code and Open item as of xx.xx.xxxx. The result of which for example is 50000USD. Then we tried to use FBL5N but with different param
-
Photos arent getting uploaded on photo stream on pc
when i take a photo , it gets uploaded in the photo stream on my iphone , but it isnt ter on the pc. but what is unusual is that incase i put a photo in the upload folder on my computer , then it is ter on my phone and in the photostream on the compu