Require cert and domain credentials to authenticate?

Similar Messages

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• Require Computer Certificate And user credentials

  Hi All,
  I'm trying to test 802.1x authentication in a lab environment with some standalone 1131AGs and a Server 2008 R2 NPS server. I've been able to set up a few different scenarios but none have met all my requirements:
  Scenario 1:
  Laptops in the domain automatically get certs from a GPO
  Laptops in the domain automatically get an SSID configured from a GPO
  Laptops in the domain automatically authenticate using their computer certificate.
  Problem:
  I can't add non-domain computers to this network. I've tried installing computer certs using Windows 2008 R2's certsrv CA web portal but these types of certs don't seem to work.
  Scenario 2:
  Same as below except I provide non-domain computers with a user certificate which they can request through Windows 2008 R2s certsrv CA web portal.
  They can connect BUT they can export the private key and put it on other devices or give it to their friends, etc.
  I'd like to figure out a way to ensure certificates can't be exported or at least require a user cert and a username and password to get onto the wireless network. Is this not possible with EAP-TLS or PEAP-TLS?
  Thanks!

  Yon,
  Moving this to AAA forum.
  Thanks,
  Vinay Sharma
  Community Manager - Wireless
  Cisco Support Community

• SCCM 2012 MDT 2012 UDI Require domain credentials to run task sequence

  We are in the process of moving to SCCM 2012 integrated with MDT 2012 for OSD from using MDT 2012 by itself. We're trying out UDI task sequences and have noticed a pretty gaping hole in functionality vs MDT 2012 by itself: password protecting a task sequence.
  In MDT 2012 there was a built-in feature that required domain credentials to run a task sequence. If one exists using SCCM/MDT 2012, I haven't been able to find it. I've only found stuff like this http://www.windows-noob.com/forums/index.php?/topic/2336-password-protect-a-task-sequence/ which
  would allow you to set a password, but not authenticate against AD. So, I'm wondering if there are any options to protecting a task sequence with domain authentication?
  My understanding is that the Refresh and Replace StageGroup only run when you kick off a UDI task sequence in Windows. That means I have to make a task sequence available to the Configuration Manager Client in order for a tech to run a Refresh/Replace. And,
  that in turn means that the UDI task sequence will be visible to all users since it needs to be available to their computer. Or, am I completely missing how UDI OSD should flow?  If so, then I hope someone can correct me.
  I'd appreciate any help or advice you can give. Thanks. 

  Hi,
  I am sorry to say that you are correct in your conclusions. There is no builtin way in ConfigMgr/MDT/UDI to require a domain username/password to run a task sequence, your option from Windows-noob.com is one way of solving it.
  Regards,
  jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec
  Thanks for the info. What about workflow? How do you usually handle UDI in Replace and Refresh scenarios? Do you deploy the task sequence to collections that users can access?

• How to have Infopath form use Sharepoint Domain credentials

  I have built a for in infopath which is published to a library on Sharepoint 2013. This form is filled out by certain users and when its completed it gets moved into a subfolder. We then provide a link to a client who has a domain account with restricted
  access to just this folder of sharepoint. They can view this form and any others we put in this folder.
  The form has 2 views. The first is the view our staff sees when filling it out. There are some hidden sections in there for us that the client does not need to see. So there is a second view which is read only and I have taken away the option for them to
  switch views so they can't go back to our internal view.
  What I would like to happen is that the form can somehow detect by the domain login info from sharepoint, what user is opening the form and switch views based on that. What I can't figure out how to do it to have the form pull domain credentials from the
  sharepoint site and use those a a variable when opening the form to set the view.
  I believe I am on the right path what trying to setup a data connection but I am just missing something. I found this great guide http://www.pointgowin.com/seethepoint/Lists/Posts/Post.aspx?ID=55 but now when I open the form I get a warning stating "You
  do not have permissions to access a SharePoint list that contains data required for this form to function correctly." Also I still can't seem to pull the username.
  Can someone help me out? Point me in the right direction? Thanks.

  Hi,
  According to your post, my understanding is that you wanted to have Infopath form use Sharepoint Domain credentials.
  When you use Claims-based authentication, your user name is prefaced by “0#.w|”.  So for example, if your user name is SuesDomain\jdoe then your Claims-based user token will be, without
  the quotes:     “0#.w|SuesDomain\jdoe”
  InfoPath can’t handle that, or more specifically, the UserProfile.asmx method GetUserProfileByName method can’t handle that.  InfoPath tries to pass in your Claims-based user token instead
  of your domain\User Name.
  You have an authentication problem where the currently logged in user is not allowed to hit the web service, so you get an Access Denied 401 authentication error
  To resolve the issue, you can refer to the great blog:
  SharePoint 2013, InfoPath and Claims – GetUserProfileByName
  More information:
  InfoPath over Claims Authentication (SharePoint 2010 & 2013)
  SharePoint 2013 Business Connectivity Services Search and Profile PageMetroStar Systems Blog
  Thanks,
  Linda Li
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Linda Li
  TechNet Community Support

• % No CA root cert exists. Use "ca authenticate"

  Hi,
  I am trying to configure the PIX to use certificates from a MS CA. I have it working fine with ASA5505 and 5510's but when I try to get it working with a PIX 506E and 501 using 6.3 I get the % No CA root cert exists. Use "ca authenticate", message after the ca enroll command.
  Can someone give me a heads up on what I might be doing wrong.
  Commands Used:
  hostname Pix506e
  domain-name nesa.lab
  ca generate rsa key 512 (and I also tried 1024)
  ca identity ciscoserver.nesa.lab 11.11.11.26
  ca configure ciscoserver.nesa.lab ca 1 20 crloptional
  ca authenticate ciscoserver.nesa.lab
  ca enroll ciscoserver.nesa.lab 8EC4CEAD54268142 serial ipaddress
  ....and that is where the % No CA root cert exists. Use "ca authenticate" shows up.
  Any help is appreciated.

  I made the changes and the following is what happened.
  Thanks,
  PIX506E(config)# ca zeroize rsa
  PIX506E(config)# ca generate rsa key 512
  Keypair generation process begin.
  .Success.
  Insert Selfsigned Certificate:
  30 82 01 9f 30 82 01 49 02 20 66 38 61 37 33 30 64 63 35 38
  63 65 30 64 33 31 38 65 37 65 62 36 39 30 37 61 66 63 31 61
  65 35 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 4b 31
  49 30 0f 06 03 55 04 05 13 08 33 30 32 63 35 61 66 35 30 17
  06 03 55 04 03 13 10 50 49 58 35 30 36 45 2e 6e 65 73 61 2e
  PIX506E(config)# 09 2a 86 48 86 f7 0d 01 09 02 16 10 50 49
  PIX506E(config)# ca identity ciscoserver.nesa.lab 11.11.11.26:/certsrv/mscep/m$
  PIX506E(config)# ca configure ciscoserver.nesa.lab ra 1 20 crloptional
  PIX506E(config)# ca authenticate ciscoserver.nesa.lab
  CI thread sleeps!
  Crypto CA thread wakes up!
  CRYPTO_PKI: http connection opened
  CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
  CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
  Certificate has the following attributes:
  Fingerprint: fb4f82b6 d1204e94 d83675a7 4f446c2c
  CRYPTO_PKI: Name: EA = [email protected], CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
  C = CA
  CRYPTO_PKI: Name: EA = [email protected], CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
  C = CA
  CRYPTO_PKI: transaction GetCACert completed
  CRYPTO_PKI: Name: EA = [email protected], CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
  C = CAPIX50
  CRYPTO_PKI: Name: EA = [email protected], CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
  C = CA
  Crypto CA thread sleeps!
  CI thread wakes up!6E(config)# $lab F3567C82D9D72346 serial ipaddress
  CI thread sleeps!
  ca enroll ciscoserver.nesa.lab F3567C82D9D72346 serial ipaddr$
  % Start certificate enrollment ..
  % The subject name in the certificate will be: PIX506E.nesa.lab
  % Certificate request sent to Certificate Authority
  % The certificate request fingerprint will be displayed.
  PIX506E(config)#
  CRYPTO_PKI: transaction PKCSReq completed
  CRYPTO_PKI: status:
  Crypto CA thread sleeps!
  PIX506E(config)# Fingerprint: 437269d6 62eb2a2e 1bd850da 5532ca47
  CRYPTO_PKI: http connection opened
  The certificate enrollment request was denied by CA!
  CRYPTO_PKI: received msg of 670 bytes
  CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL
  CRYPTO_PKI: signed attr: pki-message-type:
  13 01 33
  CRYPTO_PKI: signed attr: pki-status:
  13 01 32
  CRYPTO_PKI: signed attr: pki-recipient-nonce:
  04 10 9a 66 93 fd ac 8b 9e f1 90 92 fb 18 a1 52 83 bc
  CRYPTO_PKI: signed attr: pki-transaction-id:
  13 20 66 38 61 37 33 30 64 63 35 38 63 65 30 64 33 31 38 65
  37 65 62 36 39 30 37 61 66 63 31 61 65 35
  CRYPTO_PKI: status = 101: certificate request is rejected
  CRYPTO_PKI: All enrollment requests completed.
  CRYPTO_PKI: All enrollment requests completed.
  PIX506E(config)#

• Differece b/w dataelement and domain

  hi every body
  when creating table after giving the column name we can mention the direct type or specify the data element. in data element we mention data types and other properties, similarlay in dataelemens we can also specify the domain.
  my question is that what the relationship or diff. b/w data element and domain. plz clear my concepts.
  Rai.

  Domain is the central object for describing the technical characteristics of an attribute of an business objects. It describes the value range of the field. Data Element: It is used to describe the semantic definition of the table fields like description the field. Data element describes how a field can be displayed to end-user.
  A domain defines the properties of a data element within ABAP. The properties include the data element type, it's length if required and any restrictions on the values that may be entered into that variable. By defining a domain you can automate and greatly reduce the amount of work required when handling amongst other things user input parameters. Domains also standardise your programs. By using a domain rather than individually defining the variables within your program, any changes to the domains characteristics are automatically passed on to any programs that use that domain
  A dataelement is the one which has the information about the field's representation on the screen in the form of FIELD TEXTS, COLUMN CAPTIONS in list outputs of the table contents and the format of the output via PARAMETER IDS and Online field documentation.
  Cheers
  Nishanth

• Hyper V Hosts and Domains

  Can I have hyper V hosts connected to one domain then connect a VM to another domain.
  I have three Quad port NICs- two will be connected to my DMZ domain and then to accommodate direct access I propose connecting one to my corporate LAN. I will then create the required vswitchs and place my direct access servers on DMZ switch and
  the LAN switch for a 2 leg deployment?
  Your thoughts please?

  Sure, no problem with that. Each OS whether physical host or guest VM can join any domain they can reach.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• What is the Best Practice for publishing Offline Root CA Cert and CRL to Active Directory?

  Hi,
  I've read and seen in a few labs different approaches to what is published in Active Directory for a Offline Root CA.  I've seen just the Root Cert published to AD as well as the Root Cert and the Root CRL published to AD. 
  I can understand why the Root Cert is published to AD, but why would the Root CRL need to be published to AD, especially if my Offline Root CA just issues the Cert for my Subordinate Issuing CA?  So looking for Best Practices here.
  Thanks for your help! SdeDot

  On Sun, 22 Feb 2015 18:44:25 +0000, Andrzej Kazmierczak wrote:
  Best practice is to publish CRL to 2 alternative paths - LDAP for your internal users to access them on the first place and HTTP as an alternative option to LDAP and as the only option for your external users.
  No, the current recommended best practice is to publish to a highly
  available HTTP location first (and possibly the only CDP) that is available
  both internally and externally. This covers Windows and non-Windows
  devices, domain joined and non-domain joined devices and internal and
  external devices as well as multi-forest scenarios with no trust between
  forests.
  Paul Adare - FIM CM MVP

• OS X Server clients can't login after IP renumber and domain Name change

  I can not seem to get the logins working again on my OS X server (10.9.4 w/ server 3.1.2 on a 1 yr old. MacMini) after I needed to renumber the IP and change the domain name. I destroyed the Open Directory server, recreated it and created one test account. If I log in to the client with a local account I can connect to the server (Go>Connect To Server)  from the client using my newly created account, but when I try to login to the server  using the same network account login I get the "shaking head" response immediately. I have rebound the server to this client and it says that network accounts are available, but seem to be at a loss to understand why it won't let me login...
  The only error message I see in any of the logs is the following:
  (AFP Error Log:) Sep 15 20:21:47 isis.mydomain.com AppleFileServer[3032] <Info>: major error <1>: No credentials were supplied, or the credentials were unavailable or inaccessible.
  I'm not sure what credentials it is referring to. I created a self signed certificate that I am using with OD, could that be the one?

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address.
  2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Follow these instructions to rebuild the Kerberos configuration on the master.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. Disable any internal firewalls in use, including third-party "security" software.
  10. If you've created any replica servers, delete them.
  11. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

• Network user ID and Domain in HR infotypes

  Hi,
  I have an requirement to retrive network user id and domain based on SAP user id from HR infotypes. Does anyone knows in which infotype can i find these fields.
  Regards
  Hema

  Hi Hema,
  <b>1</b>.
  Infotype :<b>0105</b>.
  Database table for that IT :<b>PA0105</b>.
  <b>2</b>.
  Write Select query like this .
  SELECT pernr
  from PA0105
  into l_pernr
  where subty = '0001'
  and usrid = SAP user ID
  and  begda le sy-datum
  and  endda ge sy-datum.
  SELECT usrid
  from PA0105
  into l_usrid
  where Pernr = l_pernr
  and subty  = '9NWI'
  and  begda le sy-datum
  and  endda ge sy-datum.
  I hope that u will do it .
  <b>Thanks,
  Venkat.O</b>

• Logging on to Win 8.1 workstation with domain credentials

  Hi All.
  I been on Windows 8 Pro(now 8.1 update 1) for over a year now. Until now, I've always logged on to my workstation with my MS account. I recently decided to join my workstation to a domain where the Primary DC is running Server 2008 r2. I joined the domain
  without a hitch, but when I try to log on to the workstation using domain credentials, the logon screen seems to insist on a MS account. It wants user name to be in email form only. When I tried to use my domain credentials in that format ([email protected])
  it told me that the password is wrong and I should make sure to use my MS account password.
  I tried disconnecting my MS account from my local account, but it didn't help.
  Any ideas?

  I'm not sure if what you are doing is supported, to have a local MS sign-in account as well as a corporate domain account residing side by side, you might have to give up your MS sign-in and use a local ID for the domain logon to work
  you may however consider setting this up using the Workplace Join feature in 8.1 which should work much better
  http://blogs.technet.com/b/keithmayer/archive/2013/11/08/why-r2-step-by-step-solve-byod-challenges-with-workplace-join.aspx

• Procedure for creating transparent table, data element and domain

  Hi,
  Can anybody let me know the procedure for creating transparent table, data element and domain.
  Thanks,
  Mahathi

  Hi
  Database table and its components
  A database table is the central data structure of the ABAP/4 data dictionary.
  The structure of the objects of application development are mapped in tables on the underlying relational database.
  The attributes of these objects correspond to fields of the table.
  A table consists of columns (fields) and rows (entries). It has a name and different attributes, such as delivery class and maintenance authorization.
  A field has a unique name and attributes; for example it can be a key field.
  A table has one or more key fields, called the primary key.
  The values of these key fields uniquely identify a table entry.
  You must specify a reference table for fields containing a currency (data type CURR) or quantity (data type QUAN). It must contain a field (reference field) with the format for currency keys (data type CUKY) or the format for units (data type UNIT). The field is only assigned to the reference field at program runtime.
  The basic objects for defining data in the ABAP Dictionary are tables, data elements and domains. The domain is used for the technical definition of a table field (for example field type and length) and the data element is used for the semantic definition (for example short description).
  A domain describes the value range of a field. It is defined by its data type and length. The value range can be limited by specifying fixed values.
  A data element describes the meaning of a domain in a certain business context. It contains primarily the field help (F1 documentation) and the field labels in the screen.
  A field is not an independent object. It is table-dependent and can only be maintained within a table.
  You can enter the data type and number of places directly for a field. No data element is required in this case. Instead the data type and number of places is defined by specifying a direct type.
  The data type attributes of a data element can also be defined by specifying a built-in type, where the data type and number of places is entered directly.
  <b>Two Level Domain Example</b>
  A domain defines a field technically and therefore it may
  be used at different business levels.
  A data element describes the meaning of a domain in a certain business context.
  A domain, however, is used for the technical definition of a table field (for example field type and length).
  Therefore, although a take-off airport (data element S_FROMAIRP) would have a different business meaning from an airport where a plane lands (data element S_TOAIRP), they could still have the same domain(here S_AIRPID) because technically we could assign the same number of characters whether the airport is a take-off or a landing airport.
  <b>Definitions of Table in Database</b>
  In SAP R/3 tables are defined as
  A) Transparent tables: All of the fields of a dictionary table correspond to a field in the real database table.
  B) Pooled tables: Different tables which are not linked to each other with a common key are combined into a TABLE POOL. Several logical tables thus exist as a single real database table.
  C) Cluster tables: Several tables linked by a common key may sometimes be combined by the data dictionary and made to exist on the database schema as a single table.
  SAP is evolving R/3 tables in transparent tables.
  <b>Elaboration on each of the definitions</b>
  A transparent table is automatically created on the database when it is activated in the ABAP Dictionary. At this time the database-independent description of the table in the ABAP Dictionary is translated into the language of the database system used.
  The database table has the same name as the table in the ABAP Dictionary. The fields also have the same name in both the database and the ABAP Dictionary. The data types in the ABAP Dictionary are converted to the corresponding data types of the database system.
  The order of the fields in the ABAP Dictionary can differ from the order of the fields on the database. This permits you to insert new fields without having to convert the table. When a new field is added, the adjustment is made by changing the database catalog (ALTER TABLE). The new field is added to the database table, whatever the position of the new field in the ABAP Dictionary.
  Tables can also reside on the database as Pooled tables or cluster tables
  Pooled Tables: Different tables which are not linked to each other with a common key can be combined into a Table Pool. The tables contained within this pool are called Pooled Tables. A table pool is stored in the database a simple table. The table's data sets contain, in separate fields, the actual key for the data set to be stored, the name of the pooled table and the contents of the data set to be stored.
  Using this schema, several logical tables are combined into a single real database table. Although the data structure of each set is lost during the write to the table pool, it is restored during the read by the ABAP/4 Data Dictionary. The ABAP/4 Data Dictionary utilizes its meta-data to accomplish this.
  Since information must be prepared (defined) within the ABAP/4 Data Dictionary when it is read or written to (or accessed), this process itself defines these as not transparent tables
  Cluster Tables: Occasionally, several tables may be linked by a common key. The ABAP/4 Data Dictionary can also combine these tables into a single table. Each data set of the real table within the database contains a key and in a single data field, several data sets of the subsequent table for this key.
  As mentioned above, these table types require special data handling, therefore they are not transparent tables.
  <b>Technical Settings in Dictionary</b>
  The data class logically defines the physical area of the database (for ORACLE the table space) in which your table should be created. If you choose the data class correctly, the table will automatically be created in the appropriate area on the database when it is activated in the ABAP Dictionary.
  The most important data classes are master data, transaction data, organizational data and system data.
  Master data is data that is rarely modified. An example of master data is the data of an address file, for example the name, address and telephone number.
  Transaction data is data that is frequently modified. An example is the material stock of a warehouse, which can change after each purchase order.
  Organizational data is data that is defined during customizing when the system is installed and that is rarely modified thereafter. The country keys are an example.
  System data is data that the R/3 System itself needs. The program sources are an example.
  Further data classes, called customer data classes (USER, USER1), are provided for customers. These should be used for customer developments. Special storage areas must be allocated in the database.
  The size category describes the expected storage requirements for the table on the database.
  An initial extent is reserved when a table is created on the database. The size of the initial extent is identical for all size categories. If the table needs more space for data at a later time, extents are added. These additional extents have a fixed size that is determined by the size category specified in the ABAP Dictionary.
  You can choose a size category from 0 to 4. A fixed extent size, which depends on the database system used, is assigned to each category.
  Correctly assigning a size category therefore ensures that you do not create a large number of small extents. It also prevents storage space from being wasted when creating extents that are too large.
  Modifications to the entries of a table can be recorded and stored using logging.
  To activate logging, the corresponding field must be selected in the technical settings. Logging, however, only will take place if the R/3 System was started with a profile containing parameter 'rec/client'. Only selecting the flag in the ABAP Dictionary is not sufficient to trigger logging.
  Parameter 'rec/client' can have the following settings:
  rec/client = ALL All clients should be logged.
  rec/client = 000[...] Only the specified clients should be logged.
  rec/client = OFF Logging is not enabled on this system.
  The data modifications are logged independently of the update. The logs can be displayed with the Transaction Table History (SCU3).
  Logging creates a 'bottleneck' in the system:
  Additional write access for each modification to tables being logged.
  This can result in lock situations although the users are accessing different application tables!
  <b>Create transparent table</b>
  Go to transaction SE11. Enter name of table you want to create (beginning with Y or Z) and click on create pushbutton
  Enter the delivery class and the table maintenance criteria
  The delivery class controls the transport of table data when installing or upgrading, in a client copy and when transporting between customer systems .
  The display/maintenance indicator specifies whether it is possible to display/maintain a table/view using the maintenance tools Data Browser (transaction SE16) and table view maintenance (transactions SM30 and SM31).
  Enter the name of the table field and the data element. The
  System automatically populates the technical details for
  existing data elements.
  So far as possible it is advisable to use existing data elements which befit the business requirements.
  However, we may create data elements if need be. The same is shown in the next slide.
  To create a data element simply double click on it.
  Alternately create a data element by simply choosing the
  data type radio button on SE11 initial screen.
  <b>Create data element</b>
  The system prompts you to create a new data element.
  Choose the Yes pushbutton.
  Under the data type tab enter the domain name which
  determines the technical characteristics of the field.
  Further characteristics tab: Allows you to specify a search help assigned to the data element.
  It also allows you to specify a parameter id which helps you populate a field from SAP memory.
  Field label: Can be assigned as prefixed text to a screen field referring to the ABAP Dictionary. The text is displayed on the screen in the logon language of the user (if the text was translated into this language).
  <b>Create domain</b>
  If the domain does not exist in the data dictionary the
  system prompts you to create one.
  Give the technical characteristics under the definition
  tab. Value range allows you value restriction at domain
  level.
  Value range tab:
  As explained in the section Consistency through input checks one can restrict the possible values for a field at domain level itself by either entering fixed values or by specifying a value table under the tab Value range.
  <b>Currency/Quantity fields in a table</b>
  A currency or a quantity field must be assigned a reference field from a reference table containing applicable qty unit or currency unit.
  Field of the reference table, containing the applicable quantity unit or currency
  A field containing currency amounts (data type CURR) must be assigned a reference field including the currency key (data type CUKY).
  A field containing quantity specifications (data type QUAN) must be assigned a reference field including the associated quantity unit (data type UNIT).
  <b>Create transparent table continue</b>
  Maintain the technical settings of the table by clicking on the tab

• Nagios, certs, and NRM/ Remote Manager

  We just created a brand new xen guest OES11sp2/SLES11sp3 server, and already the certs for the NRM are no good, they're still using the ones created in YAST during the SLES install portion.
  (eDirectory certs were created and all four validate just fine)
  For now, I just made an exception in my browser, but when I go to the NRM and go to check Health status, I get a nagios login window. that's new.. and if I try to log in with my eDir credentials, it fails, and now I just see a 500 error. The rest of NRM works okay though.
  If I export the eDir certs and use keytool to export them to server.pem and server.key and overwrite the ones at
  /etc/opt/novell/httpstkd (well, actually, /etc/ssl/servercerts) will that fix nagios or is there another issue here?
  And I'm wondering why the eDirectory certs didn't overwrite the YAST certs.. we always have the install do that.

  This gets weirder.
  I used "openssl x509 -in servercert.pem -text" on the new server to check the servercert.pem cert under /etc/ssl/servercerts, and it turns out it IS the eDirectory cert.
  I've restarted both nagios and httpstkd, but the httpstkd configure page claims it's using the old Yast cert; it is configured to use the /etc/ssl/servercerts (through a softlink).
  Firefox accepts the cert fine, Chrome complains that the certificate doesn't match the URL, which is ridiculous. It's absolutely the same.
  I hate certs.
  Anyway, in either case, I still get the 500 error with nagios. It asks for a login, I have no idea what it wants. My edir user doesn't work, and neither does root.