Provisioing with Access Policy

Hi All
I have made one Access policy for Full-Time employees.
I want that if admin creates a user who is Full-Time employee, it shouls automatically get provisioined with AD.
I have made that Access Policy. But If Admin craetes one user who is Full-Time Employee then provisioing status goes into *"READY"* State.
It stucks in Resource form.
And in my resource form only one lookup field is there. And i have put Value already in that lookup.
Could any one please tell me the solution for this.
Thanks a lot!

Hi
I made access policy Without Approval.
That extra field i.e. AD SERVER, I have already filled with ADITResource.
Actually i have made one resource form, i'm giving value of AD Server from there & it is prepopulation in process form.
But When user gp for provisioning then it stuck in Resource Form not in Process form. It shows status Ready.
Is it possible to remove that Resource form from access policy, I think it may remove my problem ?
But i don know how to remove resource form from Access Policy region.
Please suggest.
Thanks for these replies.

Similar Messages

Disable AD account with access policy

Hi all,
how can I disable AD account with access policy (or create AD account in disabled state)
Regards,
Vladimir

Dewan.Rajiv wrote:
Access Polcies are just for triggering provisioning. You can custom AD connector or write your own to create user in disabled state using JNDI.Hi Dewan,
I have to create a simple demo system, and I need a solution which is not too weird (that means use as little of disparate technologies as possible).
I have two connected systems:
1. HR system, which is a trusted source for user and organizational data.
2. AD system, which is my provision destination.
I want to comply to the following requirements:
1. When a user is created in HR system, a new OIM account shall be created, and a new AD account shall or shall not (depending on HR data) be created in AD in disabled state
2. When a user is marked as dismissed in HR system, the AD account if exists, shall be disabled and moved to some special place in AD tree.
3. Same rules shall apply if the OIM account is created or marked as "Dismissed" manually by OIM administrator.
I use OIM reconciliation to get source data and it is no problem for me to create any reconciliation event I need.
I was considering creating Group->Access Policy->Resource chains, but Access Policy allows only to manage AD attributes, not account enable status.
Or should I add some unmapped pseudo-attribute to AD connector and a task which will enable/disable AD account based on the value of this attribute?
What other options do I have?
Regards,
Vladimir

Role getting revoked with Access Policy

Hi,
I have a Access Policy which will provision to a Resource Object with only one special role. Whenever a user belongs to the group according to a rule called USR_UDF_GLOBALSTATUS == Active, automatically user is getting provisioned to the Resource object with that Role as per the access policy.In this access policy, "Revoke if no longer applies" option is disabled for that Resource Object.
Whenever for that user, USR_UDF_GLOBALSTATUS == Active is changed as USR_UDF_GLOBALSTATUS == InActive from reconciliation, the user is removed from that Group. Till here everything is fine. But the Special Role assigned to that user is also getting revoked. I haven't enabled "Revoke if no longer applies" option. But how come the role is getting revoked?
According to my requirement, that special role should still stay even if the user is removed from the group. Please help...
- Pavan

Enable all logging. Check and see if the user was a member of more groups than just the one. There might be more than one access policy for the user, one that gives the resource with a base set of values for the parent form, and then another access policy that has a lower priority that provides the role. Also look at the Xellerate User object and check for any tasks that might be triggered on this change in value as well as other values. Your best bet is to look at the user and all their groups and resources. Then perform your change, and look on their resource profiles both in targets, and on the xellerate user object, and see what all tasks were inserted.
-Kevin

Problem with Access Policy

Hi All!
OIM 11g:
1. I have installed DBUM 9.1.0.4
2. I have configured IT Resurce, and RO for granting user MS SQL User and database role (for example in HRData db)
3. I have created Role named: "HRData DB User" and Access Policy named: "HR Data DB User" wchich grants correct RO.
4. When role is granted by xelsysadm for specific oim user everything is OK.
Problem:
when user request for role: "HRData DB User" from Self-Service portal, and request is approved by xelsysadm, role is granted but RO is not granted. I have following error:
+<Nov 19, 2010 1:12:46 PM CET> <Error> <XELLERATE.SERVER> <BEA-000000> <Class/Method+
+: tcDataObj/eventPreInsert Error :Insert permission is denied>+
+<Nov 19, 2010 1:12:46 PM CET> <Error> <oracle.iam.accesspolicy.impl.handlers.provis+
ioning> <IAM-4030308> <An error occurred in oracle.iam.accesspolicy.impl.handlers.p
rovisioning.ProvisionAccountActionHandler while provisioning resource 161 to user 4
+3 and the cause of error is DOBJ.INSERT_PERMISSION_DENIED: H: You do not have permi+
ssion to insert this object..>
+<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030081>+
+<[CALLBACKMSG] Inside completion plugin for request 68.>+
+<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
+<[CALLBACKMSG] Inside completion plugin for request 68, target tye is Role and ope+
ration is SELFASSIGNROLES.>
+<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
+<[CALLBACKMSG] Inside completion plugin for request 68, target tye is RoleUser and+
operation is CREATE.>
Any suggestions?
best
mp

Hi Rajiv,
So, there is no way we can implement this?
My requirement is same as this,
OIM: Question about "Auto Save" option on Resource Object
I have a Resource Object that needs to be provisioned at least two ways:
1) thru an access policy by group membership
2) thru user self-request, who is not already in that group membership
The problem is if I don't check the "Auto Save" check box the automatic assignment thru access policy is not completing and If I do check the check box then user request is not letting the user to enter values into the resource form. Instead it is directly going to submit request. Looks like these are mutually exclusive.
Is there a way to make both work on the same Resource Object?
Thanks
SK

Problem with Access policy Provisioning on AD

Hi,
I have created an access policy, which will trigger the provisioning the user to AD when the user is added to group 'abc'.
Its without approval.
We have object form and process form. Process form is autosave.
But, the problem is, as soon as the user is added to the group 'abc'.
It triggers the provisioning flow. But the provisioning will be in ready state only.
When we go and save the resource form only the provisioning flow triggers.
If we make the object as auto save, it will work. But in our case we cannot make the object autosave as it has a resource form to be filled by user in other flow.
Is there any approach to solve the issue?
Regards,
SK

Hi Rajiv,
So, there is no way we can implement this?
My requirement is same as this,
OIM: Question about "Auto Save" option on Resource Object
I have a Resource Object that needs to be provisioned at least two ways:
1) thru an access policy by group membership
2) thru user self-request, who is not already in that group membership
The problem is if I don't check the "Auto Save" check box the automatic assignment thru access policy is not completing and If I do check the check box then user request is not letting the user to enter values into the resource form. Instead it is directly going to submit request. Looks like these are mutually exclusive.
Is there a way to make both work on the same Resource Object?
Thanks
SK

Help Required With Access Policy Trigger On Enable User In Oim 11gR2

My scenario is:
We have a created a access policy for the user.
Scenario1:
As soon as the role is added to user, the account is provisioned. -Working
Scenario 2:
As the user is disabled, the account gets revoked-Working
Scenario 3:
As the user is enabled, the new instance of the account should get provisioned.(It was earlier working in 11G r1)
"Evaluate User Policies " is running every ten minutes.Manually also triggered it. but the account doesn't get provisioned after the user is enabled.
Any inputs?
Please help

Your Scenario 2:
As the user is disabled, the account gets revoked-Working ----> ITS WRONG if you are using OOTB feature of OIM
-> When the user gets disabled, the accounts should get disabled. The result which u are getting above is not OOTB. Have you made any customization to any logic?
Just for your info, there is one system property which is used to enable disabled resources when the user is enabled:
http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/system_props.htm#OMADM884
Enable disabled resource instances when a user is enabled
If the value is TRUE, then the disabled resource instances are enabled when a user is enabled.
XL.EnableDisabledResources
TRUE

Issue with UAG/TMG communication to published SharePoint application is blocked by access policy settings

We have a UAG/TMG server set up with SharePoint published. The UAG is also doing load balancing for the SharePoint farm. We have an MDM application that is trying to connect to our SharePoint but our SharePoint is routed through the UAG. The MDM application
does not need to be published neither is there any component that can be accessed directly by end users. It is more of a proxy to relay content to mobile devices. It is using 443 and two other secondary ports.
On the TMG logs, we can see requests hitting the TMG over port 443 from the MDM application server. We can also see that it is trying to be routed to our SharePoint but we get the following error in the TMG log:
“Filter information: A request from source IP address xx.xx.xx.xx, user to trunk portal; Secure=1 for application SharePoint of type SharePoint15 failed. The endpoint device does not comply with access policy settings ([%PolicyId%]) for session [%SessionId]”
The source IP is the internal IP of the host running the MDM application. In the UAG side, under the SharePoint publishing rule, for Access Policy Settings we have tried selecting the 'Always' option but that had no effect. It appears like there is a policy
blocking communication to SharePoint. Does anyone have a suggestion on which policy or where the policy that is controlling this is located so that we can try to resolve this issue? Thanks.

Looking at the UAG Web Monitor, it says that the access policy is 'Hybrid_Default_Session_Access' and the URL is /_vti_bin/Webs.asmx.
We can't find a 'Hybrid Default Session Access' policy. In the Endpoint Policy Settings tab, we tried using 'Always' for the Access Policy for the published SharePoint application but that did not make any difference.

ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
Requested Identity Group exist
Testing user is created in Internal Users and has assigned requested Identity Group
Radius Access Policy:
Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
Remove testing user and create his account again.
Rename Identity Group
Use another Identity Group
Remove Access Policy rule and create it again
Use Compound Condition: System:Identity Group
Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?

OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

E1200 V2 with no "internet access policy" in built-in web-based setup

I just bought a factory refurbished E1200. The label on the bottom says it is a Version 2 model. When I purchased it, it was loaded with 2.0.02 firmware but I upgraded the firmware to 2.0.04
My problem is that I'm trying to setup MAC address-based restrictions thru the manual/web-based setup and when I click on the "Access Restrictions" tab, I only have simple "Parental Controls" and not the advanced "Internet Access Policy".
Is it possible that I have a mislabeled V1 device? If that is the case, how is it that I was able to upgrade the firmware using firmware from the V2 downloads section.
Do V! and V2 units use the same firmware but more importantly, how do I upgrade the built-in software so that I have the advanced "Internet Access Policy" controls?
Thanks!
Eric
Solved!
Go to Solution.

Very strange indeed then! My subtab only has "Parental Controls" listed.
I've compared it to the one shown here ( http://ui.linksys.com/files/E1200/2.0.00/inter_access.htm ) - and mine does not look like this at all!
I think i have a mislabeled V1 model or at least V1 software loaded,
Does anyone know if it is possible to download and reload the software that is built in to the router or do I need to return it and get a (hopefully) new one?
Thanks!
Eric

How to protect both access (http and https) with a Policy Agent

Hi,
During the installation of a web Policy Agent (i.e. Policy Agent for IIS) we have to choose the protocol (and port) of the web server we want to protect.
If we have an IIS with secure (https) and non secure (http) applications, how we manage this scenario with the policy agent?
Regards,

Hi,
Finally, i have installed the agent in IIS5 in the non secure port (http) and in fact it detects both access (http and https) fine.
The problem now is that if i try to access to a non secure url ( http://mynonsecureapp.com ) all works fine, the agent redirects to https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mynonsecureapp.com but when i try to access to a secure url ( https://mysecureapp.com ) the agent try to redirects me to: https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mysecureapp.com (notice that the agent removes the 's' in the url).
The amAgent log file shows:
+2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_notification(), https://sigcit.agp.gva.es:443/fullcitriweb is not notification url http://sigcit.agp.gva.es:80/amagent/UpdateAgentCacheServlet?shortcircuit=false.+
+2008-07-17 09:44:08.296 Warning 656:d8f6b0 PolicyAgent: OnPreprocHeaders(): Access Manager Cookie not found.+
+2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): url 'https://sigcit.agp.gva.es:443/fullcitriweb' path_info ''.+
+2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): processing url http://sigcit.agp.gva.es:80/fullcitriweb.+
+2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): client_ip 172.27.65.62 not found in client ip not enforced list+
Any ideas?
Regards,
Edited by: idm_oceanic on Jul 17, 2008 1:33 AM

LDAP (openldap) authorization with DAP (dymamic access policy)

Hello,
We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

Hi
I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
Hth
Herbert
Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

Create Access Policy with OIM API: can't fill child form

Hi!
I'm having a problem with creating OIM Access Policy with API. I'm doing the following:
1. Create a new access policy via AccessPolicyIntf
2. Add a resource object which will be provisioned to all users who are within policy scope
3. Get Resource Object (Parent) Form Definition via FormDefinitionIntf
4. Add data to parent form (AccessPolicyIntf setFormData(FormDefinitionKey))
5. Now I want to add data to the child form, for that purpose I need to know child form definition key, but I can' get one, because there's no method like 'getChildFormDefinitionKey' in FormDefinitionIntf interface.
Please, help me to get child form definition key, knowing parent form definition key and version

See if this code helps:
public String addChildTableValue(long userKey, String group, String objectName, String fieldName tcDataProvider ioDatabase) {
log.debug("addChildTableValue() Parameter Variables passed are:" +
"userKey=[" + userKey + "]" +
"group=[" + group + "]" +
"fieldName=[" + fieldName + "]" +
"objectName=[" + objectName + "]");
try{
tcUserOperationsIntf userIntf = (tcUserOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcUserOperationsIntf");
tcFormInstanceOperationsIntf formIntf = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
boolean roleExists = false;
//Result set of all Object for user
tcResultSet obResultSet = userIntf.getObjects(userKey);
if (obResultSet.isEmpty()){
log.error("User has no provisioned objects");
return "NO_OBJECTS_EXIST";
}else{
for (int ii=0; ii<obResultSet.getRowCount(); ii++){
obResultSet.goToRow(ii);
if ((obResultSet.getStringValue("Objects.Name").equals(objectName)) &&
(!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Revoked")) &&
!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Provisioning")))){
log.debug("Resource object found: " + objectName);
//Process Instance Key of the object
long plProcessInstanceKey = obResultSet.getLongValue("Process Instance.Key");
log.debug("Process instance key: " + plProcessInstanceKey);
//Process Key for the parent for
long plParentFormDefinitionKey = obResultSet.getLongValue("Process.Process Definition.Process Form Key");
log.debug("Parent form definition key: " + plParentFormDefinitionKey);
//Form version of the parent form
int pnParentFormVersion = formIntf.getProcessFormVersion(plProcessInstanceKey);
log.debug("Parent form version: " + pnParentFormVersion);
//Result set of Child Form information
tcResultSet childFormResultSet = formIntf.getChildFormDefinition(plParentFormDefinitionKey, pnParentFormVersion);
//Child form definition key
long plChildFormDefinitionKey = childFormResultSet.getLongValue("Structure Utility.Child Tables.Child Key");
String plChildTableName = childFormResultSet.getStringValue("Structure Utility.Table Name");
log.debug("Child form definition key: " + plChildFormDefinitionKey);
log.debug("Child table name: " + plChildTableName);
tcResultSet childFormData = formIntf.getProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey);
if (!(childFormData.isEmpty())){
log.debug("Searching child table current values");
for (int iii=0; iii<childFormData.getRowCount();iii++){
childFormData.goToRow(iii);
String fieldValue = childFormData.getStringValue(fieldName);
log.debug("Child table entry: " + iii + " | value: " + fieldValue);
if (fieldValue.equals(group)){
roleExists = true;
log.debug("Value already exists in child table");
return "DUPLICATE_VALUE";
log.debug("Value not found in child table");
if (!roleExists){
Hashtable childFormHash = new Hashtable();
childFormHash.put(fieldName, group);
formIntf.addProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey, childFormHash);
log.debug("Value successfully added to table");
return "VALUE_ADDED";
log.debug("Provisioned resource " + objectName + " object not found");
return "OBJECT_NOT_FOUND";
catch(Exception ex){
ex.printStackTrace();
return "ERROR";

Not able to get the AD organizations list while creating access policy

Hi All,
Had created IT Resource for AD server, and was able to successfully connect to it. And Now when I try to create a access policy, where I am not able to view any organization from AD.
Can someone please let me know how to resolve this.
Thanks in advance.....
Regards
Arun

Please check the error log which I am getting when I ran the schedule job
======= Start Stack Trace =======================>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <Description : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecu
rityContext error, data 52e, vece ]>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.exception.ConnectionException: [LDAP: error code 49 - 80090308: LdapErr: D
SID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:384)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
>
<Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <================= End Stack Trace =======================>
Based on which I had checked the credentials I provided, and they are correct. I am able to connect to AD with same credentials when I create new IT Resource.
Not sure what went wrong
Regards
Arun

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

I love iTap Mobile. Paid for the app. Sorry to see them discontinue it, but now I know why. Microsoft bought them out! But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access
Policy (TS_RAP). Please contact your server administrator. (2147965402). I worked with iTap to fix this so I guess they sold Microsoft their older buggy code... Microsoft, please fix!
PS: This is the Android version. Mac and iOS are both okay.
EDIT: After an update a few months ago, iOS is no longer working. Not sure if the problem is related to the Android MSRDP issue.
UPDATE - Relevant posts (need Android RDP software engineer to fix):
Event Viewer Log when using Android client:
The user
"DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
is most likely for logging into RD Web - icons shows up).
The
user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
The following error occurred: "23002". (This is after clicking on any
of the icons).
I
think the Android MS RDP client is providing the incorrect resource. It shouldn't be "localhost".
It should be the RD Connection Broker's hostname, I believe.
Here's what it should look like (connected using a Windows PC going
through the RD Web portal via Internet Explorer):
The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection
authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource
authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
The user "DOMAIN\testuser", on client computer "10.x.x.x", connected
to resource "rdsfarm.domain.com".
Stephan,
Do you have any way to contact the software engineer who worked on the Android version of the RDP client? Please
have them read this thread. They need to fix the hard coded "localhost" resource to be a variable (namely whatever the user put in for the server).
This is why the MS RDP app is failing in situations where the FQDN for the RD Gateway and Connection Broker uses
the same host name.
Again, this is not a configuration problem on our end as it works as intended with the native Windows RDP client
as well as the Mac and iOS version of the mobile RDP client (all based on iTap Mobile's RDP app).
This is a problem specific to the Android RDP app.
PS: No matter how hard I try, the WYSIWYG editor is not very WYSIWYG at all, and so everything here looks messed up even though it looked right when I posted it (it is deleting new blank lines I'm inserting to make it spaced out and easier to read). See
below to read the post in context.

Thanks for the bumps, everyone. I haven't check this thread in a while because I basically gave up on Microsoft's ability to respond. Unlike paid apps, there's no number to call or ticket to open when an app like this malfunctions.
Just to give you an update, iOS users started having issues connecting a few months ago. I don't remember what version started this. I'm not sure if it's the same problem.
Also, the newest version now gives a slightly different error message: RpcOverHttpEndpointException: 2, Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator.
For Android users, I am starting to recommend Xtralogic Remote Desktop Client. It's a paid app, but it works great. I don't know of any alternative for iOS.
MSRDP for Mac OSX (was also an iTap application) continues to work throughout the many updates.
We need a software engineer from MS to read my first post. All the information that will point to a fix is there. I strongly believe someone hardcoded the string "localhost" instead of using a variable to point to the FQDN of the rdsfarm
name.
Here's that info again (copied/pasted). It doesn't take an engineer to understand the issue. If you know how to decipher Event Logs, you can see where the problem is.
Event
Viewer Log when using Android client:
The
user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
is most likely for logging into RD Web - icons shows up).
The
user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
The following error occurred: "23002". (This
is after clicking on any of the icons).
I
think the Android MS RDP client is providing the incorrect resource. It shouldn't be "localhost".
It should be the RD Connection Broker's hostname, I believe.
Here's
what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):
The user "DOMAIN\testuser", on client computer "10.x.x.x",
met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
The user "DOMAIN\testuser", on client computer "10.x.x.x",
met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
The user "DOMAIN\testuser", on client computer "10.x.x.x",
connected to resource "rdsfarm.domain.com".

Provisioing with Access Policy

Similar Messages

Maybe you are looking for