Query on SSO using Kerberos and JAAS

Similar Messages

• Query: how to use structure and selection and what's the difference between

  Query: how to use structure and selection and what's the difference between these two?
  Would be appreciated if some experts here give examples to demenstrate on how to use structure and selection in query and what's the difference between these two?
  Thanks in advance!

  Hi Kevin,
  1. Well by default all the KF that you include in your query go into a Key Figure Structure. You can additionally have another structure for defining how your chars are laid out. A common example is a Calmonth structure where you have selections for 12 months, quarers and YTD values. This would be a char structure with different selections (for each month, qtr etc)
  2. Yes, a selection with a KF is the same as restricting a KF. You can use am RKF is you have one on the left hand side, or if you need to do this locally in the query, right click the structure and choose New Selection, then proceed to choose your KF and reqd char values.
  Hope this helps...

• How to use GSS and JAAS with kerberos

  Hi,
  I am new to this subject, I have setup a kerberos server on win 2000, and i have registered my other servers to it, this setup works fine , now what i have to do is the following
  1, Display a HTML page where i will take the user id and password for domain 1,
  2 Validate this user id and password using JAAS
  3 Create a connection object with domain 2, (which is AS400)
  So how do i setup my websphere to do so, also can any one provide java code to get GSS credentials and create connection to any other server
  Ashish

  Look for "Single Sign-on Using Kerberos in Java" in google or on Sun's web site. Maybe this paper will help you.
  Claude

• SSO on WAS 6.20 (unix) using kerberos and Windows Active Directory (AD)

  Hi Gurus!!
  We are looking for the way to implement the Single Sign On in our R/3 Systems installed on unix of the Active Directory (obviously windows) users using Microsoft Kerberos.
  I'm not able to find a documentation about this arquitecture.
  Can somebody help me?
  Is any documentation related with this topic?
  Did Somwbody configure this kind of SSO?
  Thank you very much in advanced,
  Edorta Ramos

  Ramos,
  I should have made it clearer. When I referred to AS, I was referring to the SAP ABAP AS (e.g. application server). Of course the KDC (e.g. Microsoft Active Directory) has an AS service as well...
  yes, you can Kerberos enable (Kerberize) the SAP ABAP AS and SAP GUI using Kerberos libraries for Windows and AIX. As I mentioned already, since AIX is involved you should consider evaluating and buying SAP certified SNC libraries available from a SAP partner. Your first place to look is in SAP EcoHub (click link at top of this SDN forum to enter EcoHub) and search for SNC or Kerberos.
  You asked about gssapi library - as I have said a few times, there is no gssapi (e.g. SNC library) provided by SAP for UNIX or Linux, so if you are using AIX you need to look elsewhere (e.g. SAP partner) and the SAP partner will also provide the compatible/supported library for the Windows workstations as well so you get a complete solution from the vendor.
  Thanks,
  Tim

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• Query Service - Filters using "IN" and "*" (asterisk)

  Hi All,
  Is there any way to use "IN" and "*" (asterisk of a regular expression) in a filter to be used in query services?
  In other words:
  1) How to create a query using a selection-options as it is done in SELECT statement
  2) How to use regular expressions in a query (use of a asterisk)?
  Please, my question is regarding the Query Service. Nothing in the [Query Service help|http://help.sap.com/saphelp_nw70/helpdata/en/fd/022008bc9311d4b2e80050dadfb92b/frameset.htm] could help me regarding these two points.
  Thanks.

  Hi Fabio,
  this is not objects, not general but very very basic:
  data:
    lt_kna1   type table of kna1,
    lt_r_name type range of kna1-name1. "defines a range like inj select-options
  field-symbols:
    <r_name> like line of lt_r_name. "field-symbol for one line of the ranges table
  append initial line to lt_r_name assigning <r_name>.
  <r_name>-sign = 'I'.
  <r_name>-option = 'CP'.
  <r_name>-low = 'EN*'.
  select *
    into table lt_kna1
    from kna1
    where name1 in lt_r_name
  Also: Use F1 on [SELECT-OPTIONS|http://help.sap.com/abapdocu_702/en/abapselect-options.htm] and [DATA - RANGE OF |http://help.sap.com/abapdocu_702/en/abapdata_ranges.htm]
  Regards,
  Clemens

• SSO using Kerberos issue in WLS 8.1 SP4

  In the documentation, it is stated to if the host is myhost.bea.com the use must be named myhost. Is this the onl way, or may I have a user name different from my host name? Any help is greatly appreciated.
  Erik

  I've configured wls8.1 SP4 in a Windows 2000 Domain. The name of the user hasn't to be the same as the host. If you change it, you have to change jass login file and keytab too.

• Query on STRIP Using DISKUTIL and Data Safty Issues

  Here is an interesting (probably DUMB) question based on my current RAID config:
  7x500GB (RAID5 - one hdd can go down and no issue) = Vol#1
  7x500GB (RAID5 - one hdd can go down and no issue) = Vol#2
  The above using Diskutil I have made on STRIP Vol#1+Vol#2 = RAID50.
  From the above what are my chances of loosing data based on following three senarios:
  1. what if one of the controller fails, will I still see the entire volume
  2. what if one of the controller fails, will I loose everything on RAID50 (STRIP)?
  3. what if one of the controller fails, I replace the controller with a new one, will I get my data back?
  Please advice the above?
  Thanks

  >1. what if one of the controller fails, will I still see the entire volume
  You will lose access to the entire volume. The data will be intact but you cannot access the volume (on either controller) until the failed controller is replaced.
  >2. what if one of the controller fails, will I loose everything on RAID50 (STRIP)?
  No. Your data will be intact. You just can't access it.
  >3. what if one of the controller fails, I replace the controller with a new one, will I get my data back?
  Yes. The replacement controller can read the RAID configuration from the drives. Replacing the failed controller will restore access to your volume.
  Just for the record I have over a dozen XServe RAIDs (including one of the very first revisions using 180GB drives) all working 24/7 in a production network and have never lost a controller, power supply, or any other component other than one (or maybe two) failed disks. In my experience the failure rate is very low.

• OBIEE 11g SSO using OAM and AD (authentication provider)

  Hi
  I am authenticating my OBIEE users thru Microsoft Active Directory and it works fine.
  I would like to set up sso, so as to achieve seamless navigation from my Peoplesoft system to OBIEE.
  If anyone has done this before, then could you point me to some reference material. I am not able to find any online.
  Thanks
  Madhu

  I believe you can integrate peoplesoft in the same way we have done it for EBS
  follow below link. it will help you.
  https://kr.forums.oracle.com/forums/thread.jspa?threadID=645740
  Thanks
  Jay.

• Security problem. Not use JAZN and JAAS.

  I have implementation J2EE Security feature in AS.
  I need use data base for authenticity.
  I know in Tomcat do in next:
  &lt;Realm
  className="org.apache.catalina.realm.JDBCRealm"
  debug="99"
  driverName="oracle.jdbc.driver.OracleDriver"
  connectionURL="jdbc:oracle:thin:@{IPAddress}:{Port}:{Servicename}"
  connectionName="{DB Username}"
  connectionPassword="{Password}"
  userTable="users"
  userNameCol="username"
  userCredCol="password"
  userRoleTable="user_roles"
  roleNameCol="rolename"
  /&gt;
  How to configuration server so that use Database?

  Ive done this but it was a while ago.
  Basically you need to write a new class that extends com.evermind.security,AbstractUserManager it must provide real implemenations of:
  userExists
  checkPassword
  inGroup
  getUser
  & UserWrapper
  Then in your deployed application in the orion-application.xml you need to refer to this class e.g
  <user-manager class="com.DriveUserManager"></user-manager>
  You may also need to make some changes to your application.xml and principals.xml
  sorry if this is a bit vague

• SSO on AS Abap/JAVA using Kerberos

  Hello,
  We have the following configuration:
  ECC system
  Setup of Microsoft UAG server for SSO using Kerberos W2008R2
  All the steps about SPN has been applied...
  We use Kerbtray to check the keys..
  But when using WEBGUI, we got error 401 http auth.
  Tried to trace but nothing. I've found nothing on those forum about the setup of service webgui..and tried the most combination without any success...now I've selected  in logn data procedure "Alternative logon procedure" and security standard-auth standard SAP user and keep all logon procedure.
  Have a idea how to fix this problem ? thanks in advance.
  Info: all the checks about IE8 or firefox setup has been applied and I've used SPNego Add-on setup and import the generated keytab ...with crypto RC4-HMAC-NT.
  Regards,
  Jade

  Hi Jade,
  I was in a same situation before. I have to configure SSO with Windows Authentication for IITS. I have configured Kerberos for SAP GUI for ABAP and SAP Negos only for JAVA stack (not for ABAP stack (IITS)). The Windows Authentication is possible with ABAP or JAVA individually. When I have opened a message with similar requirement SSO experts sugested me to use 3rd party products.
  So finally to achieve the requirement I have configured SSO with Logon Tickets. Even though you dont have Enterprise portal, you can configure SSO with Logon Tickets creating a PSE in ABAP stack and importing in other system. This worked fine with IITS. Only for the initial system we need to enter credentials remaining directly logs you in the system with the generated cookie/ Ticket.
  If you can try SAP negos then config. for ABAP to accept JAVA tickets (there is conf SSO from JAVA to ABAP) on the same system. This may enable Windows Authentication for IITS (I didnt try this)
  Refer: Need help in SNC configuration for ITS (IITS)
  If you come up with any Solution other than this to enable Windows Authentication, Please post. May be Olivier Solution Works here. Olivier could you please post about the SAP note info and the config steps?
  Thanks,
  Ajay.
  Edited by: Ajay_Basis on Jul 15, 2010 5:15 PM

• Query using BETWEEN/AND operators

  Im trying to query in forms using BETWEEN/AND operators. The field is for dates (YYYY) is stored in the DB as varchar (4). My code compiles but returns nothing...Any ideas of whats wrong...
  PROCEDURE YR_RANGE_SEARCH IS
  BEGIN
  IF :SEARCH.NRA_START IS NOT NULL
  AND :SEARCH.NRA_END IS NOT NULL THEN
  :Global.BUFFER_START := :SEARCH.NRA_STRT;
  :Global.BUFFER_END := :SEARCH.NRA_END;
  BEGIN
  SET_BLOCK_PROPERTY('NRHR', ONETIME_WHERE, 'NRHR.YEAR = ''' || 'BETWEEN' || :Global.BUFFER_START || 'AND' || :Global.BUFFER_END ||'''');
  GO_BLOCK('NRHR');
  EXECUTE_QUERY;
  END;
  END IF;
  END;

  check spaces in quoted text. i noticed that in your original query you had no spaces anywhere which made your ONETIME_WHERE resulting in something like NRHR.YEAR='BETWEEN2005AND2007' (if :Global.BUFFER_START=2005 and :Global.BUFFER_END=2007). For sure that always resulted in NULL value returned by the query;
  in my answer
  SET_BLOCK_PROPERTY('NRHR', ONETIME_WHERE, 'NRHR.YEAR BETWEEN '|| :Global.BUFFER_START || ' AND ' || :Global.BUFFER_END);
  there is a space after BETWEEN and space before and after AND. Be careful.

• Kerberos and SPNEGO

  I wan trying to do sso for Oracle UCM 11g which uses weblogic 10.3.4 using Kerberos and SPNEGO as stated in Oracle documentation
  I followed all steps on the following links
  http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/sso.htm#i1102021
  and
  http://download.oracle.com/docs/cd/E17904_01/doc.1111/e10792/c03_security.htm#CDDDIHBA
  My issue is strange there are no error no exception and SSO not working even if I added wrong info to krb5.conf or krb5login.conf, I have created JAAS configuration file, and I have specified krb5login.conf file location as a startup option in the WebLogic where I have added the following to startWeblogic.sh
  JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
  what do you think I am facing here???

  Hi,
  Apply SAP Note 1045019 (Example 3) and provide for analysis the errors (in red) from the collected traces.
  Regards,
  Dimitar

• I'm trying to use kerberos V5 with ActiveDirectory but get an error

  I'm trying to use kerberos V5 with ActiveDirectory im using simple code from previuos posts but
  when i try with correct username/password i get :
  Authentication attempt failedjavax.security.auth.login.LoginException: Message stream modified (41)
  when i try incorrect username/pass i get :
  Pre-authentication information was invalid (24)
  Debug info is :
  Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Kerberos username [naiden]: naiden
  Kerberos password for naiden:      naiden
            [Krb5LoginModule] user entered username: naiden
  Acquire TGT using AS Exchange
            [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication attempt failedjavax.security.auth.login.LoginException: Java code is :
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  import java.util.Hashtable;
  * Demonstrates how to create an initial context to an LDAP server
  * using "GSSAPI" SASL authentication (Kerberos v5).
  * Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
  * compliant implementation of J-GSS and a Kerberos v5 implementation.
  * Jaas.conf
  * racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
  * 'qop' is a comma separated list of tokens, each of which is one of
  * auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
  class KerberosExample {
  public static void main(String[] args) {
  java.util.Properties p = new java.util.Properties(System.getProperties());
  p.setProperty("java.security.krb5.realm", "ISY");
  p.setProperty("java.security.krb5.kdc", "192.168.0.101");
  p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
  System.setProperties(p);
  // 1. Log in (to Kerberos)
  LoginContext lc = null;
  try {
  lc = new LoginContext("ISY",
  new TextCallbackHandler());
  // Attempt authentication
  lc.login();
  } catch (LoginException le) {
  System.err.println("Authentication attempt failed" + le);
  System.exit(-1);
  // 2. Perform JNDI work as logged in subject
  Subject.doAs(lc.getSubject(), new LDAPAction(args));
  // 3. Perform LDAP Action
  * The application must supply a PrivilegedAction that is to be run
  * inside a Subject.doAs() or Subject.doAsPrivileged().
  class LDAPAction implements java.security.PrivilegedAction {
  private String[] args;
  private static String[] sAttrIDs;
  private static String sUserAccount = new String("Administrator");
  public LDAPAction(String[] origArgs) {
  this.args = (String[])origArgs.clone();
  public Object run() {
  performLDAPOperation(args);
  return null;
  private static void performLDAPOperation(String[] args) {
  // Set up environment for creating initial context
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  // Must use fully qualified hostname
  env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389/DC=isy,DC=local");
  // Request the use of the "GSSAPI" SASL mechanism
  // Authenticate by using already established Kerberos credentials
  env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  env.put("javax.security.sasl.server.authentication", "true");
  try {
  /* Create initial context */
  DirContext ctx = new InitialDirContext(env);
  /* Get the attributes requested */
  Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",CN=Users,DC=isy,DC=local");
  NamingEnumeration enumUserInfo = aAnswer.getAll();
  while(enumUserInfo.hasMoreElements()) {
  System.out.println(enumUserInfo.nextElement().toString());
  // Close the context when we're done
  ctx.close();
  } catch (NamingException e) {
  e.printStackTrace();
  }JAAS conf file is :
  ISY {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true;
  };krb5.ini file is :
  # Kerberos 5 Configuration File
  # All available options are specified in the Kerberos System Administrator's Guide.  Very
  # few are used here.
  # Determines which Kerberos realm a machine should be in, given its domain name.  This is
  # especially important when obtaining AFS tokens - in afsdcell.ini in the Windows directory
  # there should be an entry for your AFS cell name, followed by a list of IP addresses, and,
  # after a # symbol, the name of the server corresponding to each IP address.
  [libdefaults]
       default_realm = ISY
  [domain_realm]
       .isy.local = ISY
       isy.local = ISY
  # Specifies all the server information for each realm.
  #[realms]
       ISY=
            kdc = 192.168.0.101
            admin_server = 192.168.0.101
            default_domain = ISY
       }

  Now it works
  i will try to explain how i do this :
  step 1 )
  fallow this guide http://www.cit.cornell.edu/computer/system/win2000/kerberos/
  and configure AD to use kerberos and to heve Kerberos REALM
  step 2 ) try windows login to the new realm to be sure that it works ADD trusted realm if needed.
  step 3 ) create jaas.conf file for example in c:\
  it looks like this :
  ISY {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true;
  };step 4)
  ( dont forget to make mappings which are explained in step 1 ) go to Active Directory users make sure from View to check Advanced Features Right click on the user go to mappings in secound tab kerberos mapping add USERNAME@KERBEROSreaLm for example [email protected]
  step 5)
  copy+paste this code and HIT RUN :)
  import java.util.Hashtable;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.Attributes;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  import javax.security.auth.Subject;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class Main {
      public static void main(String[] args) {
      java.util.Properties p = new java.util.Properties(System.getProperties());
      p.setProperty("java.security.krb5.realm", "ISY.LOCAL");
      p.setProperty("java.security.krb5.kdc", "192.168.0.101");
      p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
      System.setProperties(p);
      // 1. Log in (to Kerberos)
      LoginContext lc = null;
      try {
              lc = new LoginContext("ISY", new TextCallbackHandler());
      // Attempt authentication
      lc.login();
      } catch (LoginException le) {
      System.err.println("Authentication attempt failed" + le);
      System.exit(-1);
      // 2. Perform JNDI work as logged in subject
      Subject.doAs(lc.getSubject(), new LDAPAction(args));
      // 3. Perform LDAP Action
      * The application must supply a PrivilegedAction that is to be run
      * inside a Subject.doAs() or Subject.doAsPrivileged().
      class LDAPAction implements java.security.PrivilegedAction {
      private String[] args;
      private static String[] sAttrIDs;
      private static String sUserAccount = new String("Administrator");
      public LDAPAction(String[] origArgs) {
      this.args = origArgs.clone();
      public Object run() {
      performLDAPOperation(args);
      return null;
      private static void performLDAPOperation(String[] args) {
      // Set up environment for creating initial context
      Hashtable env = new Hashtable(11);
      env.put(Context.INITIAL_CONTEXT_FACTORY,
      "com.sun.jndi.ldap.LdapCtxFactory");
      // Must use fully qualified hostname
      env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389");
      // Request the use of the "GSSAPI" SASL mechanism
      // Authenticate by using already established Kerberos credentials
      env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  //    env.put("javax.security.sasl.server.authentication", "true");
      try {
      /* Create initial context */
      DirContext ctx = new InitialDirContext(env);
      /* Get the attributes requested */
      //Create the search controls        
      SearchControls searchCtls = new SearchControls();
      //Specify the attributes to return
      String returnedAtts[]={"sn","givenName","mail"};
      searchCtls.setReturningAttributes(returnedAtts);
      //Specify the search scope
      searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      //specify the LDAP search filter
      String searchFilter = "(&(objectClass=user)(mail=*))";
      //Specify the Base for the search
      String searchBase = "DC=isy,DC=local";
      //initialize counter to total the results
      int totalResults = 0;
      // Search for objects using the filter
      NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
      //Loop through the search results
      while (answer.hasMoreElements()) {
              SearchResult sr = (SearchResult)answer.next();
          totalResults++;
          System.out.println(">>>" + sr.getName());
          // Print out some of the attributes, catch the exception if the attributes have no values
          Attributes attrs = sr.getAttributes();
          if (attrs != null) {
              try {
              System.out.println("   surname: " + attrs.get("sn").get());
              System.out.println("   firstname: " + attrs.get("givenName").get());
              System.out.println("   mail: " + attrs.get("mail").get());
              catch (NullPointerException e)    {
              System.err.println("Error listing attributes: " + e);
      System.out.println("RABOTIII");
          System.out.println("Total results: " + totalResults);
      ctx.close();
      } catch (NamingException e) {
      e.printStackTrace();
  }It will ask for username and password
  type for example : [email protected] for username
  and password : TheSecretPassword
  where ISY.LOCAL is the name of kerberos realm.
  p.s. it is not good idea to use Administrator as login :)
  Edited by: JOKe on Sep 14, 2007 2:23 PM