RDP SSO?

Similar Messages

• Howto to use CSCO_WEBVPN_PASSWORD in rdp:// bookmark, SSL VPN

  Hi all
  I got an ASA5510 (8.4.4, ASDM 6.4(7) with WEBVPN access.
  Now I'm facing the problem, that the customer uses an OTP authentication.
  I've changed the SSL portal login page with username / password (OTP) / internal password ( the AD-user password).
  So the idea is, that those variables
  - CSCO_WEBVPN_USERNAME
  - CSCO_WEBVPN_INTERNAL_PASSWORD
  are used for SSO purpose.
  Here my bookmark:
  rdp2://<IP>/?keymap=de&bpp=16&geometry=1024x768&FullScreen=true&RedirectDrives=true&domain=<DOMAIN>&username=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_INTERNAL_PASSWORD
  The problem is, that the password will not be sent to the rdp session. When I enter the password hardcoded (e.g. passwort=secret) it works.
  So, how can a variable be sent for the password? Or it's by design, that only a hardcoded password can be used?
  Thanks a lot,
  Norbert

  Dear Norbert,
  To get this to work, you must configure the bookmark as following:
  server/?csco_sso=1&Parameter&Parameter
  server/?Parameter&Parameter&csco_sso=1
  Please notice that the key is csco_sso=1 to provide java plug-in SSO feature.
  For example:
  rdp://10.198.29.26/?geometry=1024x768&csco_sso=1&username=CSCO_WEBVPN_USERNAME
  &password=CSCO_WEBVPN_PASSWORD
  I just tested this locally
  Please let me know.
  Thanx.
  Portu.

• RD Web access SSO - remote desktop doesn't work

  Hi,
  This is my first post in here, and I hope you gays can help me out.
  I am currently experiencing some issues with RD Web SSO not working as I would like it to work.  I have found countless articles and guides describing how to get it to work, but no guide have yet helped me.
  The problem is that when I log in on the web access and open a published application everything works fine I wait 5 sec and the application pups up, but when I try to open "Remote Desktop" then I get a new log in box where I must enter my log in credentials
  again (after entering my credentials everything work great.)
  The problems I am currently facing is produced in a demo environment configured as follows:
  1x DC server (DC01) also the lic server
  2x RDS server (RDS01/02)
  1x RDS Connection broker (RDCM01)   I have created a farm named "farm01.mydomain.com"
  1x RDS Web access server (RDWA01)
  1x RDS Gateway (RDSGW01)
  (All the Servers are installed with Windows server 2008 (R2) SP1, and have the latest update.)
  I am publishing my demo environment on the internet, i have created a domain name for my gateway and my web access and they are both accessible from the web (rdwa.mydomain.com and rdsgw.mydomaim,com). I also have secured everything with an SSL wildcard certificate
  ( my external and intern domain names are the same so I am using one SSl certificate) that is trusted on the web.
  when I  log in on the web access server trough (IE9 or IE8 ) from another network(wan) and I open a published application (calculator), it pop ups in just a few seconds. But when I try to open my Remote desktop I get a login box where I must enter my
  username and password one more time.. after that remote desktop opens and everything works great.
  My laptop is a Windows 7 professional with RDP 7 and IE 9, and is not member of a domain (just a workstation), I have tested it from multiple workstations and networks(Also win 7 and RDP7) but even there I have the same problem.
  Thinks that I have tried tell now:
  I have created a kerberos account as mentioned on
  MSDN
  I have checked my group permissions as mentioned
  here
  And many more blogs and forums
  I have tried multiple settings on RDCM, RDWA, RDSGW and RDS server
  Right now I am out of ideas, and I hope you gays can help me out..
  thanks in advance,
  Pouyan

  Thnx for you advise,
  Did you go into your RemoteApp Deployment settings and change the server name to the farm name "farm01.mydomain.com?"
  Yes
  Also in the Session Broker's RemoteApp and Desktop Connection Properties window change the Connection ID to the farm name as well.
  actually I couldn't find out what to put on the connection ID so I had left it just default, but after changing it to the farm name it still doesn't work
  Did you sign you apps with the cert used on your RDS servers?
  yes, I am using a wildcard ssl certificate to sign all the servers/apps with.
  there is
  something that
  strikes me, when I log on the web access and click on a published application (that is hosted from the same RDS servers) then I get a information box. when I click on the "details" button I see on the bottom "use the following credentials to connect" and my
  domain and username are published there. But when I click on the "Remote desktop" icon and do the same I can't see this information!!
  Also I don't think that its an SSL problem, because after log in again it works perfect without any warning.

• How to make WinTPC a direct VDI w/2012 Server from login(SSO) Pooled VM Collection SOLVED !

  Pre-Reqs:
  WinTPC machines must be domain joined
  All VDI infrastructure is 2012(RD Web, CB, VH, GW) you might be able to use 2008R2 I did not use any so dunno..
  All certificates must be in place for SSO
  1. Setup 2012 VDI infrastructure to use SSO
  2.Set group policy applied to WinTPC machines OU to allow Credential Delegation see:
  http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
  3. Steal the RDP file from RDWeb (do a view source to get the path to the RDP file then download it) place in a network location, we use a folder in netlogon. Alternatively you could create your own RDP file and include the loadbalanceinfo:s:tsv://VMResource.1.MYPOOLEDCOLLECTION_Name
  4. Use a GPO to set a Custom Interface on the WinTPC machines it should execute a powershell or vbscript that runs the .rdp file,  in our case we  use a logon script to copy a powershell script to the local machine, then use that
  as the custom interface, it loops watching for the mstsc process to end..when it does it logs the user off. (sample)
  #VDI-RDP.ps1
  & 'c:\windows\system32\mstsc.exe' c:\start\myrdpfile.rdp
  sleep -s 10
  while(get-process mstsc){sleep -s 10}
  logoff.exe
  Custom Interface GPO is here:
  User\Administrative Templates\System\Custom User Interface\
  "powershell.exe" -windowstyle hidden c:\start\vdirdp.ps1
  Voila !
  When domain users login to the WinTPC they get a VDI session only... once they close the session either by logging off or closing the RDP session.. they are logged off of the WinTPC machine
  MS really should document this somewhere.. not everyone wants to access VDI from  RDweb.... :(   nor do they wish to have to authenticate multiple times...
  Good luck with it !

  Thank you dear Steve for the detailed steps,
  I have an issue to set the RD Web Access for SSO.
  I followed below article without success and I saw your comment.
  http://www.anilerduran.com/index.php/2012/sso-single-sign-on-thoughts-on-rds-remote-desktop-services-2012/
  I am using RDS 2012 R2 environment.
  Could you please provide more steps on how to run SSO for the RD Web?:
  Point Number 2 is not clear.
   To turn on Windows Authentication:
                - uncomment <authentication mode="Windows"/> section
                - and comment out:
                1) <authentication mode="Forms"> section.
                2) <modules> and <security> sections in <system.webServer> section at the end of the file.
                3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                   Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                   click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
  Kind regards,

• Single server solution for RDS / TS / RDP using Windows Server 2012 R2

  Planning on setting up a small single server and  need this functionality:
  * 3 local users runnnig Windows 7 Home Premium needs to access files on the server
  * The same 3 users should also be able to connect from home (PC, Mac, iPhone) and run an application on the server. (Session-Based Remote Desktop).
  We want to use Windows Server 2012, and found out that Essentials does not support RDP, so that leaves Foundation and Standard versions.
  However, I also found out that in WS 2012 the RDP can not be on the same server as the Domain Controller, and we therefor needs to run 2 server instances on our hardware. I think this starts to look way to complicated for what we want to do, but found out
  that WS 2012 R2 allows a single server to run RDP (See TechNet article 2833839).
  So we will go for Windows Server 2012 R2, either Foundation or Standard to set up our RDP.
  So now the question: Will that solution work with our local machines running Windows 7 Home Premium, as they cannot connect to a domain? Can we set up some kind of simple file share or Workgroup to acces files locally while still keeping the RDP
  functionality on the server?
  And, will WS 2012 Foundation R2 do this as well as WS 2012 Standard R2?
  (I have been asking several locat MS representatives to find a solution to our needs, but no one seems to know how this works....of cause we could just get 2 WS 2012 Standard server instances, run one as DC and on as RDCB and upgrade all our clients to Win
  7 Pro, but we would like a solution with minimal investment in time and money)
  Rgds
  Petter

  Hi Ryan, 
  and thanks for the answer! I do not know how to do "multiple quote" in this forum so I do it this way:
  "have you considered virtualisation, as you can run multiple virtual machines under one licence. I think this would be the cheapest and most efficient use of your money. Upgrading your clients to Windows 7 pro would allow you to have domain control
  Single Sign On SSO. "
  This is the "official" solution I think: Upgrade all clients to Win 7 Pro and run two instances of Win Server 2012 Standard on the server.
  However, I was hoping to get away with something a bit more Quick & Dirty.....;-) We do not have big security issues and will have a good backup system, and I think for 3 users only, it will be more work trying to centralise administration like updating,
  backups etc, than to just go to each machine and do what is needed. 
  We are good with computers/Windows but have no Server experience. A server guy will help us get started, but I dont want him around after that, so it must be a very simple solution.
  Also, installing 2 instances of WS 2012 and upgrading all 3 clients to Win Pro, and then installing all software and settings on the clients into the new domain user accounts on these clients is quite a lot of work. So I was hoping to keep only existing local
  users on the client machines and only have some kind of file share thing going on with the server disks that we need to access. So perhaps use a Workgroup instead of a domain, if that works with the RDS setup?
  "Option 1
  2 virtual machines 1x DC and 1x RDS server."
  So, if we set up RDS this way (so we can log in remote and run our application session-based on the server), can we keep the local clients running Windows Home Premium using our current local user logins (ie no domain user accounts created on the client machines,
  as this is impossible in Home versions) and still access the server disks somehow, or is it impossible? 
  Another question is if it is stupid/a really bad solution...but I still want to know if it is possible....;-)
  "Option 2 
  2 virtual machines 1x DC and 1x RDS server.
  You can configure your RDS solution as a domain joined platform and will still be able to access resources from the local device as you can map local drives to the session host. http://www.serverintellect.com/support/techfaq/drive-rdp/
  Your users would have two sets of credentials, one for the local client and one for the domain."
  I do not want to access files over VPN or RDP, we only want to run an application on the server from remote (Session-Based Remote Desktop). However when we use the local clients we want to access files on the server, and then we access huge image and film files
  on fast RAID drives, so local network speed must be top speed. Also if possible we would like to not upgrade to Win Pro, and then joining a domain is not possible.
  "Option 3
  1x Server
  The second option would be to manually deploy the session host role and licencing role to a work group server. This would limit access to RDP only and you would loose web access functionality."
  I think this is what I was hoping for. It seems that the new R2 release of WS 2012 allows you to rund RDP and Domain Controller roles on the SAME instance of the server. That sounds nice, it limits what we need to keep track on and minimises the load on the
  server that needs to act as a very fast file server locally.
  However, can we do this and still keep file acces with only Windows Home (no domain) in the local clients (same question as above under "Option 1")?
  Rgds
  Petter

• RDP pre-authentication: what does it actually do?

  I'm trying to integrate Forefront TMG and RDS with SecurID authentication. I believe I'm very close to having it working, but I'm hitting a brick wall.
  I have "require pre-authentication" set, and "pre-authentication server name" configured, as indicated in so many forum posts and HOWTOs.
  No matter what I do, clients receive the error "authentication to the firewall failed due to missing firewall credentials." This is
  after they have already successfully authenticated and visited the /RDWeb pages.
  Using the TMG logs, procmon, and wireshark, I am 100% certain that no network activity is occurring from the RDP client when this error occurs; this error is being generated entirely on the client side, before it attempts to connect to anything. I understand
  that this is what is expected; it is checking for the existence of a cookie.
  But the cookie doesn't exist. Why? Because nothing is setting one. The only cookies the client receives during the entire process (logging in to rdweb and trying to launch an app) are the SecurID domain SSO cookie I set in TMG, and the persistent authentication
  cookie I also set in TMG. RDweb itself is not issuing any cookie at all.
  Can anyone please explain to me, what specific cookie is the RDP client looking for when "require pre-authentication" is enabled? And which component is meant to be setting it?
  Obviously I'd be very grateful if anyone can tell me "run this command and it will start working" or whatever, but I'm really hoping to gain an engineering-level understanding of how it's
  meant to work ;)

   
  Hi,
  Please double check the following article:
  Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/gg589607(v=ws.10).aspx
  On the Forefront TMG server apply the Filter ipv4.address==<your public IP>
  When client request of remote desktop is reaching to TMG server, please check if the TMG server is forwarding the packet to RDG server.
  Looking forward to your feedback.
  Regards,
  Dollar Wang
  Forum Support
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Technology changes life……

• 2012 R2 RDS SSO with IE 8

  Hi,
  I am having some trouble getting SSO working on a thin client using IE 8, connecting to a 2012 R2 deployment via the RDWeb web access page.
  My scenario is thus:
  Connection broker with 2 session collections
  Gateway server for both internal and external access/policies
  Web access server to get a list of available collections/remote apps
  Deployment options are set to "Use credentials for remote computers"
  Thin clients running Windows embedded standard 09 with IE 8 and RDP version 6.1, supporting protocol 7.0
  What I have found, is that when I use a thin client running windows embedded standard 7 with IE 10, I am able to login to the RDWeb page, and the credentials I use to login, are passed to the remote desktop connection when I click on a connection. In this
  instance, the SSO works correctly, and I only need to enter the credentials once.
  With the WES 09 thin client however, I log in to the RDWeb page, and when clicking on the session collection I am prompted twice more for my credentials, meaning the SSO is not working.
  I have checked that the URL is in the intranet zone, and that "Automatic logon with current username and password" is checked, but this has not helped.
  Is anyone able to suggest things I can check, or do, to get this working?
  Thanks, Eds

  Hi Eds,
  Based on my research, to take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0.
  More information for you:
  Introducing Web Single Sign-On for RemoteApp and Desktop Connections
  http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
  Many thanks Amy,
  As I feared, these thin clients are not able to run that version of the client. I guess our users will have to live with this niggle until we can replace all our thin clients.
  Thanks, again,
  Eds

• Placing web apps behind SSO

  Hi,
  I have an existing web application (html/jsp) that needs to be put behind SSO. I have found out that this works with the following steps:
  - edit web.xml: add logical roles, define url rules and assign roles to url rules
  - deploy the app to 9iAS and choose LDAP as a user manager
  - after deployment, edit the orion-application.xml to add a security-role-mapping
  What astonishes me is that I cannot assign the logical mapping in in JDeveloper already, before deployment. Is there any way to do this? I have tried to include the mapping in application.xml, orion-application.xml and orion-web.xml but it does not work.
  Does anyone know how to do this?
  Thanks,
  Jeroen van Veldhuizen

  Hi Lukey,
  Thank you for your posting in Windows Server Forum.
  What’s the client OS and RDP version used in your environment?
   If it’s lower version, then suggest you to upgrade client version to RDP 8.1 and then check the result.
  In addition please check “Set RD Gateway authentication method” under GPO setting at below mention path.
  User Configuration>Administrative Templates>Windows Components>Remote Desktop Services>RD Gateway
  Also go through beneath article for reference.
  1. How to enable Single Sign-On for my Terminal Server connections
  2.Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• ACL to handle admin & user vlans (permit/deny rdp, icmp, smb, etc.)

  Hi guys,
  I have a a simple setup:
  VLAN 20 = basic users (192.168.20.0/24)
  VLAN 30 = admin vlan (192.168.30.0/24)
  I want to use ACLs to grant/deny access to the different vlans. Basically admins are allowed to access all services in the client network, i.e. RDP, file share access (smb), ping to basic users. Vice versa basic users are not allowed to access the admin network except echo-replies and smb.
  My first approach was to deny everything and just open the specific protocols & ports.
  So, for the admin vlan the ACL is quite simple: permit ip any
  For VLAN 20 clients I tried:
  permit icmp 192.168.20.0 0.0.0.255 any echo-reply
  permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 445
  permit udp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 range netbios-ns netbios-ss
  deny ip 192.168.20.0 0.0.0.255 any
  That didn't work. I only got the ICMP-replies.
  My second approach was to grant everything and deny the specific ports & protocols.
  permit icmp 192.168.20.0 0.0.0.255 any echo-reply
  deny icmp 192.168.20.0 0.0.0.255 any echo
  deny tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 3389
  permit ip 192.168.20.0 0.0.0.255 any
  With the second approach there is everything open except the explicitly denied ports which is no really my preferred solution.
  So, I'd be happy if you guys could help me out with my first approach.
  cheers

  I give you the whole config, just deleted some crypto stuff and unused interfaces.
  Admin-PC is connected to Gi1/0/2, vlan 30
  Client-PC is connected to Gi1/0/4, vlan 20
  Current configuration : 7474 bytes
  ! Last configuration change at 09:37:32 UTC Mon Nov 10 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service compress-config
  hostname nucl3us
  boot-start-marker
  boot-end-marker
  vrf definition Mgmt-vrf
  address-family ipv4
  exit-address-family
  address-family ipv6
  exit-address-family
  enable secret 5 xyz
  username xyz password 7 xyz
  no aaa new-model
  switch 1 provision ws-c3850-48p
  ip routing
  ip device tracking
  qos wireless-default-untrust
  diagnostic bootup level minimal
  identity policy webauth-global-inactive
  inactivity-timer 3600
  spanning-tree mode pvst
  spanning-tree extend system-id
  redundancy
  mode sso
  class-map match-any non-client-nrt-class
  match non-client-nrt
  policy-map port_child_policy
  class non-client-nrt-class
  bandwidth remaining ratio 10
  interface GigabitEthernet0/0
  vrf forwarding Mgmt-vrf
  no ip address
  negotiation auto
  interface GigabitEthernet1/0/2
  description admin-pc
  switchport access vlan 30
  switchport mode access
  interface GigabitEthernet1/0/4
  description VoIP
  switchport access vlan 20
  switchport mode access
  ip access-group 120 in
  interface Vlan1
  no ip address
  shutdown
  interface Vlan20
  description clients
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  description management
  ip address 192.168.30.1 255.255.255.0
  no ip http server
  ip http authentication local
  ip http secure-server
  ip access-list standard admin
  permit any
  ip access-list extended deny_admin_rdp
  deny tcp any 192.168.30.0 0.0.0.255 eq 3389
  permit ip any 192.168.30.0 0.0.0.255
  ip access-list extended vlan20
  permit icmp 192.168.20.0 0.0.0.255 any echo-reply
  permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 445
  permit udp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 range netbios-ns netbios-ss
  deny ip 192.168.20.0 0.0.0.255 any
  line con 0
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  login
  line vty 5 15
  login
  wsma agent exec
  profile httplistener
  profile httpslistener
  wsma agent config
  profile httplistener
  profile httpslistener
  wsma agent filesys
  profile httplistener
  profile httpslistener
  wsma agent notify
  profile httplistener
  profile httpslistener
  wsma profile listener httplistener
  transport http
  wsma profile listener httpslistener
  transport https
  ap group default-group
  end
  client -> admin: smb works, ping and rdp denied -> this is ok
  admin -> client: ping works, but no smb or rdp -> this is not ok :-)
  I would like the admin network access everything in the client network
  cheers

• Remote Desktop Client for Mac and SSO

  Hi. 
  We have RDS Deployment (Windows Server 2012 R2) with RD Connection Brokers, RD Session Hosts and Web Access.
  Windows clients log on without any issues, credentials must be entered only once (Single Sign On).
  But Mac clients must enter their credentials twice (on CB and SH).
  Does Remote Desktop Client for Mac support SSO and if it does, what special settings are required?
  Mac users use Microsoft Remote Desktop 8.0.13.

  Sorry, I have missed important detail. This problem appears when I open .rdp files.
  Really, if I create connection and save my credentials, I will not enter credentials. But in this case I can't specify Collection
  (loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.SomeCollection - parameter in .rpd file).
  In my case, I open .rdp file, connect to RD Connection Broker, log in to RD CB, RD CB redirects me to RD
  Session Host, I log in to RD SH (enter credential second time) and now I connect. In this chain could be a RD Gateway.
  When I connect to the same farm with the same .rdp file from Windows client, I have enter credential only once (SSO works).
  So my question: Does  Remote
  Desktop Client for Mac support SSO? I know that SSO require CredSSP, is it implemented in Client for Mac?

• Help with connecting a AFP server to OD Master with SSO

  I am helping to set up a new OD in 10.6 server. Added users to OD and promoted to OD Master. DNS Realm has been set on OD server and hostname and IP address are resolving correctly. Kerberos is running as it should be after OD promotion.
  Also in the mix is another server hosting the filesharing. The Directory has been bound to the OD master on the mainserver. I have entered a machine record in the DNS record of the mainserver.
  Everything is working correctly except for the SSO capabilities when using Kerberos. Users are able to login using network accounts and they can also still access the share points but they are being prompted for their passwords again.
  I have checked the ticket viewer on the client end after signing in and they users are being granted a kerberos ticket.
  I have yet to set the AFP service access to Kerberos effectively kerberizing the AFP service. Does the AFP service need to be stopped and started for this to take effect? Or does the server need a reboot. This is hard to do during the day used all day long. Is there a way to kerberize the service while it is still running.
  Is there anything that I need to try on the client end. Should I force the users to reste their passwords at the next login resetting the global password.
  Some users are in a seperate local WG on the Fileshare will this change affect those users that are only contained within that local directory.
  Thanks for any advice.

  RDS > Overview
  CAL Server Roles:
  RD Web Access - not currently being used or configured
  RD Licensing
  RD Conneciton Broker
  2 App Server Roles:
  RD Session Host
  RDS > Collections
  At first we had one Collection with both App Servers, and didn't realize that it would try to load balance between the two.  We created 2 Collections, one App Server in each Collection and that worked great.
  We set the Colleciton Depoloyment Properties > RD Licensing > Per User with the CAL Server as sthe RD Licensing Server
  RSD > Collections  > OurCollectionName > Properties >
  General
  User Groups: Add the AD User group that can RDP to the servers
  Everything else we set as default.  (unless you use it as a farm, and you want specific load balencing)
  Host Servers > Add RD Session Host Servers > add the servers you want folks to be able to remote into.  You have to add them to the RDS > Collections > Host Servers first...
  I may have missed some steps in this, but just ask and I'll let you know.
  Thanks!
  Tony Creasey

• SSO to partner application running under IIS

  Hi,
  We have a complete set-up for 9iAS Release2 where some applications are running. In parallell we have an application running under IIS, and would now like to enable the IIS application as a partner application to 9iAS letting the 9iAS SSO server handle the authentication.
  In the documentation of Oracle Proxy Plug-in I read that this proxy plug-in can be used to proxy requests from IIS to Oracle http server (OHS) and also in this way enable SSO.
  My question is if this can be done only for applications running under 9iAS but having IIS as web server, or if it is also possible like in our case to enable SSO via the proxy plug-in to applications runnind under IIS?
  If this is not supported is the only available solution to use the SSO SDK in my IIS application?
  Thanks and regards,
  Rikard

  Here's a DIY answer.
  See Metalink Note 269820.1 which shows you how to use Perl to overwrite the host name in the HTTP header and remove the port number.

• SSO java sample application problem

  Hi all,
  I am trying to run the SSO java sample application, but am experiencing a problem:
  When I request the papp.jsp page I end up in an infinte loop, caught between papp.jsp and ssosignon.jsp.
  An earlier thread in this forum discussed the same problem, guessing that the cookie handling was the problem. This thread recommended a particlar servlet , ShowCookie, for inspecting the cookies for the current session.
  I have installed this cookie on the server, but don't see anything but one cookie, JSESSIONID.
  At present I am running the jsp sample app on a Tomcat server, while Oracle 9iAS with sso and portal is running on another machine on the LAN.
  The configuration of the SSO sample application is as follows:
  Cut from SSOEnablerJspBean.java:
  // Listener token for this partner application name
  private static String m_listenerToken = "wmli007251:8080";
  // Partner application session cookie name
  private static String m_cookieName = "SSO_PAPP_JSP_ID";
  // Partner application session domain
  private static String m_cookieDomain = "wmli007251:8080/";
  // Partner application session path scope
  private static String m_cookiePath = "/";
  // Host name of the database
  private static String m_dbHostName = "wmsi001370";
  // Port for database
  private static String m_dbPort = "1521";
  // Sehema name
  private static String m_dbSchemaName = "testpartnerapp";
  // Schema password
  private static String m_dbSchemaPasswd = "testpartnerapp";
  // Database SID name
  private static String m_dbSID = "IASDB.WMDATA.DK";
  // Requested URL (User requested page)
  private static String m_requestUrl = "http://wmli007251:8080/testsso/papp.jsp";
  // Cancel URL(Home page for this application which don't require authentication)
  private static String m_cancelUrl = "http://wmli007251:8080/testsso/fejl.html";
  Values specified in the Oracle Portal partner app administration page:
       ID: 1326
       Token: O87JOE971326
       Encryption key: 67854625C8B9BE96
       Logon-URL: http://wmsi001370:7777/pls/orasso/orasso.wwsso_app_admin.ls_login
       single signoff-URL: http://wmsi001370:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout
       Name: testsso
       Start-URL: http://wmli007251:8080/testsso/
       Succes-URL: http://wmli007251:8080/testsso/ssosignon.jsp
       Log off-URL: http://wmli007251:8080/testsso/papplogoff.jsp
  Finally I have specified the cookie version to be v1.0 when running the regapp.sql script. Other parameters for this script are copied from the values specified above.
  Unfortunately the discussion in the earlier thread did not go any further but to recognize the cookieproblem, so I am now looking for help to move further on from here.
  Any ideas will be greatly appreciated!
  /Mads

  Pierre - When you work on the sample application, you should test the pages in a separate browser instance. Don't use the Run Page links from the Builder. The sample app has a different authentication scheme from that used in the development environment so it'll work better for you to use a separate development browser from the application testing browser. In the testing browser, to request the page you just modified, login to the application, then change the page ID in the URL. Then put some navigation controls into the application so you can run your page more easily by clicking links from other pages.
  Scott

• How to change SSO Partner Application Login_url and Logout_url

  As part of a deployment in a different data centre, we needed to change the domain name of an application using SSO for authentication. We have gone through the process of re-registering the SSO server but this does not update the domain name
  By using diagnostic tools from Oracle we have discovered that the file 'osso.conf' in $ORACLE_HOME/Apache/Apache/conf/osso contains incorrect entries for login_url and logout_url.
  These settings are of the form:
  login_url=http://www.ourolddomain.com/pls/orasso/orasso.wwsso_app_admin.ls_login
  logout_url=http://www.ourolddomain.com/pls/orasso/orasso.wwsso_app_admin.ls_logout
  Please can anyone tell me how these settings can be changed.

  Hi,
  [Solved] SSO fails to show success page you can find some information on re registering mod_osso.
  Hope it helps.

• HOW TO SET UP PARTNER APPLICATION TO USE SSO OUTSIDE OF PORTAL

  If anyone knows how Portal switches context to run as the db user mapped to the lightweight schema and how it knows the db schema password please let me know.
  Should you have any queries please do not hesitate to contact me on 07775 896738.
  From document Oracle Portal Security Overview on PortalStudio.oracle.com:
  In Single Sign On mode (EnableSSO=Yes in the DAD), mod_plsql determines the name of the light-weight user and mapped database schema by calling
  WPG_SESSION_PRIVATE.GET_LW_USER and WPG_SESSION_PRIVATE.GET_DB_USER respectively.
  ** These calls are done using the Portal Schema (PORTAL30) and Portal schema password **
  mod_plsql then executes the procedure in the requested URL by using the N-Tier Authentication feature to connect to the database as the user returned from
  WPG_SESSION_PRIVATE.GET_DB_USER. ..... Note that N-Tier Authentication requires all schemas to be used for Portal user mappings to be granted 'connect
  through' privleges to the Portal schema (PORTAL30).
  The WWCTX packages are also used.
  So this is how it works with standard Portal
  - the document states that the WPG_SESSION_PRIVATE package is only accessible to the Portal schema
  - but I checked and it is also available to PORTAL30_SSO
  SQL> desc WPG_SESSION_PRIVATE
  PROCEDURE CREATE_SESSION
  Argument Name Type In/Out Default?
  P_COOKIE_NAME VARCHAR2 IN
  FUNCTION GET_DB_USER RETURNS VARCHAR2
  FUNCTION GET_LW_USER RETURNS VARCHAR2
  PROCEDURE GET_SESSION_INFO
  Argument Name Type In/Out Default?
  NUM_PARAMS NUMBER OUT
  PARAM_NAMES TABLE OF VARCHAR2(32000) OUT
  PARAM_VALUES TABLE OF VARCHAR2(32000) OUT
  PROCEDURE RESET_SESSION
  Argument Name Type In/Out Default?
  P_COOKIE_NAME VARCHAR2 IN
  In my case only the Login Server (PORTAL30_SSO) is going to be used/installed
  - the SAMPLE_SSO_PAPP application will only work if the DAD used to access is it set to use Basic authentication, i.e. the actual integration with the Login Server
  is done in the sample application code calls, stored in the database
  - when a DAD has enableSSO=yes it automatically accesses Portal (PORTAL30) packages to implement N-Tier authentication
  I'm currently testing:
  1. Configuring the SAMPLE_SSO_PAPP sample as documented with a DAD with Basic authentication
  2. Amending the ssoapp procedure to set context to another (db) user on successful authentication:
  wwctx_api.set_context (
  p_user_name => 'SCOTT',
  p_password => 'TIGER' );
  3. If this works then set_context with get_lw_user instead
  I have now amended the ssoapp procedure as follows to print out
  1. The userid entered when the login box is presented
  2. The Database user which the Portal Lightweight user is mapped to
  3. The Lightweight user Portal has used for authentication
  Amendments to papp.pkb:
  (ssoapp procedure, declare db_user_info and lw_user_info as VARCHAR2 in declare section)
  htp.p('Congratulations! It is working!<br>');
  db_user_info := wwctx_api.get_db_user;
  lw_user_info := wwctx_api.get_user;
  htp.p('User Information:' || l_user_info || '<br>');
  htp.p('DB User Information:' || db_user_info || '<br>');
  htp.p('LW User Information:' || lw_user_info || '<br>');
  The following shows the interesting results from my testing:
  - if the user owning the sample_sso_papp package is PORTAL30_SSO then the call to wwctx_api.get_db_user succeeds
  - if the user owning the sample_sso_papp package is a non-portal schema e.g. SSOAPP below the call to wwctx_api.get_db_user generates a User Defined exception
  Steps to test:
  Created new schema SSOAPP on the database
  - edited it in Portal and checked the use this schema for Portal users checkbox
  - created new Lightweight user SSO_LW in Portal, mapped it to SSOAPP schema
  - created new Lightweight user SSO_SCOTT in Portal, mapped to SCOTT schema
  - loadjava -user ssoapp/ssoapp@portal30 SSOHash.class
  - sqlplus portal30/portal30@portal30
  @provsyns ssoapp
  - sqlplus ssoapp/ssoapp@portal30
  @loadsdk.sql
  @loadpapp.sql
  Created DAD with basic authentication SAMPLE_SSO_PAPP
  - username: ssoapp
  - default home page: sample_sso_papp.ssoapp
  Registered the Sample SSO Partner Application with the Login Server and ran regapp.sql
  Commented out the calls to get_db_user in papp.pkb to avoid exception
  - called http://<server>/pls/sample_sso_papp
  - logged on as SSO_LW/sso_lw
  - got output:
  Congratulations! It is working!
  User Information: SSO_LW
  LW User Information: PUBLIC
  So the Portal lightweight user is not returned as SSO_LW
  if anyone knows why the Lightweight User in my test is returned as PUBLIC not SSO_LW
  Best Regards
  MIchael

  http://support.mozilla.com/en-US/kb/Changing+the+e-mail+program+used+by+Firefox