Proxy login from externally authenticated user

Similar Messages

• Creating Externally Authenticated users

  Greetings,
  We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
  Thanks
  Bradd

  We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
  I don't understand what you are trying to do.
  Post your full sql developer info and explain in detail what you mean; with an example if possible.
  You can create users in the DB the way you do with any tool: write the appropriate DDL for CREATE USER. For OS authentication you add the OS_AUTHENT_PREFIX to the user name.
  In sql developer create connections for those users using the connections dialog that you use for any other user. On that dialog there is a checkbox for OS authentication.
  See this article by Sue Harper and see if the example for local OS authentication she provides answers your question:
  http://www.oracle.com/technetwork/issue-archive/2008/08-may/o38sql-102034.html
  To configure local OS authentication for a new user, first find the value of the OS_AUTHENT_PREFIX database initialization parameter in your system's init.ora file. When you create this new user in the database, you must add this parameter value as a prefix to the OS username. The default value is OPS$, for backward compatibility with earlier database releases. (If the value is "", the OS username and the database username are the same, so you don't need to add a prefix to create the Oracle usernames.)
  Establish a basic connection with the HR schema as the SYSTEM user. Execute the following from the SQL worksheet, using your database's OS_AUTHENT_PREFIX prefix and substituting your own OS username for "sue":
  CREATE USER ops$sue IDENTIFIED EXTERNALLY;  GRANT Connect, resource to sue;     
  Now create a basic connection for this user from the New / Select Database Connection dialog box. Enter a connection name; select Basic for Connection Type ; fill in the Hostname and Port fields; select OS Authentication ; and provide a SID or Service name . Click Test and Connect as before.

• Password aging for externally authenticated user

  Hello All:
  How can we implement the password aging of externally authenticated user.
  Thanks
  San~

  If the user is externally authenticated, then the password expiry should be external. E.g for the unix account.
  "When you choose external authentication for a user, the user account is maintained by Oracle, but password administration and user authentication is performed by an external service. This external service can be the operating system or a network service, such as Oracle Net.
  With external authentication, your database relies on the underlying operating system or network authentication service to restrict access to database accounts. A database password is not used for this type of login. If your operating system or network service permits, you can have it authenticate users. If you do so, set the initialization parameter OS_AUTHENT_PREFIX, and use this prefix in Oracle user names. The OS_AUTHENT_PREFIX parameter defines a prefix that Oracle adds to the beginning of every user's operating system account name. Oracle compares the prefixed user name with the Oracle user names in the database when a user attempts to connect."

• Externally Authenticated User

  Hi, My application is a Pro C / Oracle 8i based application. I was using hardcoded user ids and passwords which we removed thru externally authenticated user. Now my application is stable in production but users are complaining of very slow performance of Oracle database.
  Is this due to externally authenticated user id ? Does it impact the system performance ?
  Edited by: user594301 on Jan 21, 2009 3:01 AM

  Were you using lightweight sessions or connection pooling before and now initiating a new connection for each user?

• Externally Authenticated Users

  Dear Sirs;
  I have a windows 2003 server with Oracle Database R2 installed on it. I have been trying to create an externally authenticated user but unfortunately it is not working. Are there any special procedures that I must pay attention too? I followed all the instructions that are mentioned in the documentation in the library section.
  Thank you in advance for your help.
  Mazen

  Dear Sirs;
  I could finally solve this problem. It turned out that the registry must contain the following entry: osauth_prefix_domain with the value of 0. This entry is located in windows registry > HKEY_LOCAL_MACHINE > SOFTWARE > ORACLE > KEY_OraDb10g_home1. This entry was supposed to be there by default but for some reason it wasn't.
  Anyway thanks for everyone who considered helping.
  Mazen

• User is not able to Login from external supplier, using the WSS (ICH)

  Hi Gurus,
  The user is not able to login to the server externally from url.
  dev_icm is giving below warnings:
  [Thr 11052] IcmWatchDogThread: watchdog started
  [Thr 11309] ** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set  => do
  not trust any intermediary*
  X.509 cert data will be removed from header [http_plg_mt. 720]
  [Thr 11309] =================================================
  [Thr 11309] = SSL Initialization  on  IBM RS/6000 with AIX
  [Thr 11309] =   (700_REL,May  3 2008,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
  [Thr 11309]   profile param "ssl/ssl_lib" = "/usr/sap/SCA/SYS/exe/run/libsapcrypto.o"
             resulting Filename = "/usr/sap/SCA/SYS/exe/run/libsapcrypto.o"
  [Thr 11309] =   found SAPCRYPTOLIB  5.5.5C pl16  (Jun 10 2004) MT-safe
  [Thr 11309] =   current UserID: "scaadm",  env-var USER="scaadm"
  [Thr 11309] =   using SECUDIR=/usr/sap/SCA/DVEBMGS41/sec
  [Thr 11309] =  secudessl_Create_SSL_CTX():  PSE "/usr/sap/SCA/DVEBMGS41/sec/SAPSSLA.pse" not found,
  [Thr 11309] =      using PSE "/usr/sap/SCA/DVEBMGS41/sec/SAPSSLC.pse" as fallback
  [Thr 11309] = Success -- SapCryptoLib SSL ready!
  [Thr 11309] =================================================
  HTTPS (SSL) settings are as below, i think which means that no ssl certifiacts are required.
  icm/HTTPS/verify_client        = 0
  Kindly help urgently.
  regards,
  MJ

  this is SCM system.
  SSL CA's are set.
  what should be value of the parameters?
  icm/HTTPS/trust_ client_with_ issuer or
  icm/HTTPS/trust_ client_with_ subject
  http and https ssl conections are correctly set.
  I think the SAPSSLA. pse" not found, is not the problem as the parameter icm/HTTPS/verify_ client = 0 is set, it means that no ssl certifiacts are required.
  problem is coming when the system is being accessed from externally using other secure domain name.
  the system is being accessed ok from web urs which is internal, but not external.
  for example in strust tcode  the domain name is *abc.com, which is running fine when accessing the system internally.
  but when the user is accessing this sytem from other secure login from *xyz.com, which is also the same companys domain, then the user not able to login, its showing errir.

• Granting exp/imp privilege to externally authenticated user

  DB version:11.2.0.2
  OS : AIX 6.1
  We have a DB User(schema) called OPS$appuser who is externally authenticated.
  This user should be granted privilege to perform import of scott schema's dumpfile to another schema called appschema2.
  This is what appuser will be doing at the unix command line
  $ su - appuser
  $ exp / owner=scott file=scott.dmp
  $ imp / file=scott.dmp fromuser=scott touser=appschema2in short these are the DB schemas involved
  OPS$appuser -- The user performing the exp and imp
  scott       -- The schema which is being exported
  appschema2  -- The schema which OPS$appuser imports the contents in scott.dmp to.Due to security reasons, we can't grant IMP_FULL_DATABASE privilege to OPS$appuser. So, what privilege can I give to OPS$appuser to perform the above exp and imp tasks?
  Hope the exp and imp sytax i've mentioned above are correct

  None,as imp_full_database is required for this.
  Also you would better use expdp and impdp using the network_link parameter.
  Doing so, you could write a pl/sql procedure using the dbms_data_pump API to replace the command line cr*p and there will be no commandline access required anymore.
  Sybrand Bakker
  Senior Oracle DBA

• B2B login from External Site

  Hi All
  I have an existing website.  As part of that website I have an area that customers can enter a username and password and login.
  How can I redirect that login button to log into my webtools database
  Regards
  Vincent

  Code:Other users have used a "single sign on" sort of solution. The code below is put into an ASPX page in the plug-ins directory the page is then called from a form on the existing website.
  Here is the code:
  >
  >    protected void Page_Load(object sender, System.EventArgs e)
  >    {
  >        string password = "cex2006";
  >        string returnto = "~/common/accounts/myaccount.aspx";
  >        if (Request.Form["userid"] != null) {
  >            if (Request.Form["password"] != null && >Request.Form["password"] == password) {
  >                NPUser u = new NPUser(Request.Form["userid"]);
  >                NPAccount a = new NPAccount(u.AccountID);
  >                if (u.Initialized) {
  >                    if (u.ActiveFlag && a.Active) {
  >                        base.Login(u.UserID, u.AccountID);
  >                        u.MarkLogin(base.Request.UserHostAddress);
  >                        u.ResolveCarts(base.SessionID);
  >                        Response.Redirect(returnto);
  >                    } else {
  >                        Response.Write("Account Locked");
  >                    }
  >                } else {
  >                    Response.Write("User not In System");
  >                }
  >            } else {
  >                Response.Write("No master password specified or
  > master password incorrect");
  >            }
  >        } else {
  >            Response.Write("No userid specified");
  >        }
  >    }
  >   
  > 
  >

• Failed Logins from external addresses

  Hi,I recently started a trial GFI/MaxFocus RMM software. It high-lighted a couple of servers getting numerous failed logins. One of these, a 2008 R2 64 bit server, is getting between 4 and 5,000 failed logins daily. The login attempts originate from IP addresses in numerous European countries and the US, and on varying ports.The server sits behind a SonicWall TZ 205. It would be useless to block IP addresses as the login attempts are from constantly changing sources. There is a branch office that makes terminal connections to this server, and the GFI software is using some port or ports for its service. The server gets Windows updates periodically. Those are the only services I am aware that require communication of this server with the outside world.I can specifically allow ports required by these services with the outside at the...
  This topic first appeared in the Spiceworks Community

  You should adapt the menu.lst of the backed up OS like this:
  # (0) Arch Linux
  title Arch Linux
  root (hd1,0)
  kernel /boot/vmlinuz-linux root=/dev/sdb1 ro
  initrd /boot/initramfs-linux.img
  explanation:
  - Your root should be (hd1,0) because the external disc is the second hard disc (assuming root=/dev/sdb1 is correct).
  - The kernel and initrd line should have /boot, because you don't have a seperate boot partition.
  Also, you didn't adapt your fstab of the backed up hard disk. In particular, you have to remove the entries for /boot, /home and swap. The entry of root file system is also wrong, because you still have the old UUID in it:
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  /dev/sdb1 / ext4 defaults 0 1
  Finally, I think not following the excludes in the wiki will also cause problems.

• BOFC 10.0 External Authentication

  Hi there,
  I have installed a BO Financial Consolidation 10.0 and a BO BI Platform 4.0 on the same machine. Now I want to set up the external authentication from FC to BI Platform.
  In the FC WebAdmin page I've configured the 'External authentication configuration string' to 'Business Objects Enterprise XI Authentication' and the CMS servername is the hostname the applications are installed on.
  This doesn't work. Maybe there is missing something. The BOFC Login doesn't accept a user that is configured in the CMC from BI Platform.
  I've searched for a long time, bud didn't find more than the short description in the instguide.
  I would be really thankful if you might help me figure out whats exaclty missing.
  Best regards

  Hello,
  In your steps you did no mention that you have created the user in BOFC10 itself
  An external user still needs to be defined in the BOFC application (as it needs a profile). On the authentication tab, you can specify that this an externally authenticated user and indicate its BOE (CMC) name/alias
  Regards
  Marc Kuipers
  SAP Support

• Reg Authenticated Users Group

  Hello Everyone.
  We created two Roles Role1 and Role2 for this Roles we have assigned the Group "Authenticated Users"
  Now the client requirement is they wants to remove couple of users who are assigned to Role1(who belong to "Authenticated Users" group.
  Though it is not a good practise One thing I can do is search for the group "Authenticated Users" in portal  then choose modify and choose assigned users and remove the users from this group.So,that they can not see Role1
  If I remove the users from the group "Authenticated Users" then they will not be able to see Role2 as they are removed from the "Authenticated Users" group which is assigned to Role2
  Can anyone help me out regarding this issue.

  Hi Shailesh,
  What you understood is correct ie  "Both the users have been added to Role 1 and Role 2, and both the roles have been assigned to "Authenticated Group".
  I tried the step what you have stated.
  once I login to portal --- User administration -- identity management
  search for the user.
  choose modify
  if I click on assigned roles I do not see either Role1 or Role2 under assigned roles
  but if i click on assigned groups I see " Authenticated  Users"
  thanks in advance

• Invoking 'active directory external authentication plug-in'  from login.jsp

  Hi
  I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
  Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
  Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
  For this requirement, we have 'active directory external authentication plug-in' installed on server.
  What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
  kindly let me know

  Hi
  I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
  Then i serach using the user name in ldap directory.
  NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
  as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate.

• BCS - Message from External System : 'Login failed for user 'NT AUTHORITY\IUSR'.'.

  Hello,
   I have create a an external content type .
   I Choose "Connect with user's Identity".
   I create a external list that uses the ExternalContentType.
   When I try open the external list from browser by User "TestUser" . I get the following error "Message from External System : 'Login failed for user 'NT AUTHORITY\IUSR'.'"
     My Question :
         I need to know why pass the credential "NT AUTHORITY\IUSR" to connect to the data base not the
          current log in"TestUser" ?  How Can I solve it ?
          Thanks
           Hema
  ASk

  Hi,
  did you configure Kerberos delegation?
  NTLM fails when you try to open external list from client computer, because SharePoint cannot pass user's identity - "Double Hop" issue.
  Take a look at confguring Kerberos for SharePoint 2010 white paper
  Download Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products from Official Microsoft Download Center
  http://www.microsoft.com/en-us/download/details.aspx?id=23176
  Robi MCT Kompas Xnet d.o.o. Ljubljana | blog: http://xblogs.kompas-xnet.si | website: http://www.kompas-xnet.si
  Slovenia
  Please vote if you find reply useful or mark it as answer.
  Thank you

• External Authentication won't correctly set USER name or Role

  I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
  Here is a little of the java on the back end (I removed my shared secret):
  public String getRoomToken(String roomID, String userName, String userID, int userRole)      {
             try {               
                           Session session = am.getSession(roomID);
               return session.getAuthenticationToken(..., "Bob", "TestID", 100);               
                           //return session.getAuthenticationToken(..., userName, userID, userRole);          
                        } catch (Exception e) {
                 // TODO Auto-generated catch block
                                 e.printStackTrace();
                      return null;
  getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
  /**      * get an external authentication token      */
  public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
       if (role < UserRole.NONE || role > UserRole.OWNER)
           throw new Error("invalid-role");
          String token = "x:" + name + "::" + this.account
           + ":" + id + ":" + this.room + ":"+ Integer.toString(role);
          String signed = token + ":" + sign(accountSecret, token);
          // unencoded      
                 //String ext = "ext=" + signed;       
                 // encoded
         String ext = "exx=" + Utils.base64(signed);
         return ext;
  This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly.  Any help would be great, this has caused me a great deal of grief for days now...
  Thanks guys...
  Ves

  Well this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
  <rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
  to
  <rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
  and adding a preinitialize function of:
  protected function preInit():void
              templateID = Application.application.parameters['room'];
               token = Application.application.parameters['token'];
  oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
  Ves

• JAAS requiring re-authentication when returning from external site.

  Our Struts web application uses another application for some of its functionality. When the authenticated user clicks on the link, a cookie is set with some user info and the user is redirected to the external site. The user interacts with the external site and then the site redirects the user back to our site (to a previously unvisited, secure action). Unfortunately, the user is being prompted to authenticate again, even though they have already done so. The strange part is that this behaviour only exists the first time a new browser is opened (both IE and Mozilla). Subsequent visits to the site (after properly logging out, and logging back in) do not cause this problem. The other strange part is that when the user returns to the site and is prompted to authenticate, the login module that we are using logs a message that it is checking the user info against the allowed roles, and the user does, in fact, already exist.

  Nevermind. This was a stupid mistake on my part. I was accessing the site from localhost but the external site was returning to the actual URL. My bad.