Requirements for user authentication

Similar Messages

• What is the option client certificate for user authentication used for?

  Hi All,
  I have to work on a FTPS - XI -SAP scenario.
  I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
  P.S: I went through sap help but couldnt quite understand.

  Thanks a lot Mark.
  So for a FTPS -> XI -> SAP scenario the following settings are required.
  1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
  2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
  the above 2 steps are mandatory.
  If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
  Will this certificate be used for encryption?
  To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
  The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption?

• User role for user authentication in a SOAP receiver channel

  Hi,
  What is the role required for a user in a SOAP receiver channel. This user is specified in the User Authentication while configuring the channel.

  Hi,
  User Authentication is not mandatory but If your Web service requires logon data, select the Configure User Authentication checkbox and fill in the corresponding fields.
  If the Web service is outside your system landscape and you need to address a proxy
  server, select the Configure Proxy checkbox.
  The sender SOAP adapter does not require a SOAP action, but you always have
  to apply logon data when using the SOAP adapter. In the central adapter engine
  you can use a service user such as xiappluser; in a non-central adapter
  engine or a PCK you must use one of the user names assigned to security role
  xi_adapter_soap_message for component XISOAPAdapter.
  Regards,
  Divya

• Please guide me for user authentication and authorization in WebDynPro App

  Hi,
      I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
  I need to ask you some question to clarify my doubt :
  1. SAP Portal  is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
  2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
  3.Could you please suggest the best practice for authentication and authorization in webDynPro.
  Many Thanks
  Noppong J

  in most case you don't have to write code to deal with session, authentication and authorization.
  1. yes,
  2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
  3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

• Function Module used for user Authentication in B2B webshop

  Hi Gurus,
  Can someone please help me in finding a Function module which is getting called for the user authentication in B2B webshop and where can i find this class file which is getting called in the NWDS?
  Thanks
  Saurabh

  Depending upon if you are coming from Portal (SSO) or B2B logon screen, one of the following function modules is called to authenticate authorize the B2B application usage.
  CRM_ISA_IUSER_LOGIN
  CRM_ISA_LOGIN_CHECKS
  Easwar Ram
  http://www.parxlns.com

• Setup Java system directory server 6 client for user authentication

  I am trying to set up a native LDAP client for sun directory server 6 for network based user authentication. I checked the sun doc for naming service (LDAP) and the documentation are for setting up LDAP client for directory server 5. Is there any documentation for setting up LDAP client for directory server 6? Or the documents for setting LDAP client for directory server 5 is still good for 6? Particularly, I want to use SSL communication between server and client.

  Hi,
  could be one of the other 'bad jokes' of DS/ldapclient because the documentation describes a lot of stuff about profiles etc. but: you need some special schema files to use the whole stuff and they are not installed with Solaris or DS (and they include the NisDomainObject). I had to search for them in the internet. They are also printed in the documentation. Save them in your server's config/schema directory as i.e. 61DUAConfigProfile.ldif and 62nisDomain.ldif and try idsconf again (maybe you have to cleanup something).
  I test and prepare DS6 here, and we will use it in production too. I hadn't any problem with it and it has some important advantages over DS5.2. But we won't have a huge directory so I can't tell you anything more about it.
  Regards
  Jochem Ippers
  Here are the ldifs:
  61DUAConfigProfile.ldif:
  dn: cn=schema
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' )
  attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
  objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) X-ORIGIN 'user defined' )
  62nisDomain.ldif:
  dn: cn=schema
  attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
  objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' )

• Shell access required for RADIUS authentication?

  Hello all,
  A customer of mine has a fleet of modern Mac laptops, all accessing 3 AFP file servers. Access to those file servers is governed by a Snow Leopard Open Directory Master. Pretty simple.
  I’ve been tasked with introducing RADIUS authentication to the WLAN there. The WAPs are all Airport Extremes, so again the setup is pretty simple.
  But in testing, I see that users can authenticate to the RADIUS WLAN only if I give those user accounts shell access in Open Directory. If a user’s account has a login shell set to None (our previous default), then any RADIUS authentication attempt produces the following log error:
  Auth: [unix] [USERNAME]: invalid shell [/dev/null]
  If I switch that user’s login shell to (for example) /bin/bash, then restart RADIUS, that user authenticates successfully thereafter.
  Is this expected behavior? Is there an alternative to giving everyone shell access?
  Thanks for any info,
  Brandon White
  System Administrator
  www.technico.us

  Hi Peter,
  have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
  chris
  > We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
  > authentication, and iChain 2.2 RADIUS authentication. The current
  > RADIUS.NLM that we use is from the iChain authentication CD.
  >
  > The only problem I can think of to mention is the "Unknown RADIUS client"
  > error that we got after NW6 SP5. That was solved by the latest NMAS
  patches
  > and an upgrade from eDir 8.6.2 to 8.7.3.
  >
  >
  > "Peter van de Meerendonk" <[email protected]>
  wrote in
  > message news:JNiQd.595$[email protected]..
  > > > Well, just let me cover my hiney a little. We did have extremely bad
  > > > results with Activcard ACO000 tokens, but that is an old product from
  > > about
  > > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
  > > >
  > > OK, but the licensing policy makes activcard a costly alternative.
  we've
  > got
  > > a good deal on RSA, and are negociating a deal on Vasco. eventually we
  > might
  > > need 250+ tokens.
  > >
  > > I am very interested in configuration details of your setup. do you use
  > the
  > > tokens only for checkpoint authentication, or for novell
  authentication as
  > > well?
  > >
  > >
  > >
  >
  >

• 802.1x for user authentication setup questions

  Hi,
  I am fairly new to the 802.1x realm, I have read several documents on how the setup is accomplished and I was hoping someone could validate the setup I have in mind to make sure I am on the right page.  Any comments or assistance would be greatly appreciated, I do not have the infrastructure to test everything before hand.
  I have a remote site with a switch and router.  I want to authenticate users using their AD credentials. At the datacenter I will have ACS 5.2, a Windows 2008 enterprise server for AD service and CS service. I do not have the option to install an additional client on the PC like anyconnect, I need to use Windows OS supplicant without installing physcial certificates on the machine.
  - Within the CS service I will generate a certificate that will be imported by ACS.
  - I will activate ACS to integrate with AD
  - I do not want to insall certificates on the client machines so I will use PEAP w/ MSCHAPv2
  - The authenticating clients will be XP w/ SP3, I am hoping that a group policy can be created to enabed the wired service to start automatically and I will also need to add my CS/CA server as a trusted authority unless I purhcase a verisign certificate to be used. Correct? or will this need to be done when the desktop image is installed on the pc?
  Additional Questions:
  - With the setup I described above using MSCHAPv2 when the user boots the computer in the morning, hits ctrl+alt+delete and provides their AD credentials will this act as a single sign on? first authenticating them through 802.1x so the port is authorized and then authenticating them to the AD server? or will there be some type of pop up window that will appear before the ctrl+alt+delete window? making the user provide credentials twice (annoying)
  - Once the user is autheticated can I push an ACL down to the switch to enforce a set policy? or does this happen on the router?
  - Most of the documents I have read are related to L2 802.1x is there a  L3 option that includes the router that I should be looking at to  provide more features?
  - can anyone speak to their experience with the Windows OS supplicants? is the functionality flaky/clunky or if the backend is setup properly it works seamlessly?
  Sorry for the long winded post but I am kind of shooting in the dark without having the equipment to test with. Any help is appreciated!
  Thanks

  Thanks too you both for the responses.
  I have a few followup questions which I have added inline.
  Q:
  - With the setup I described above using MSCHAPv2 when the  user boots  the computer in the morning, hits ctrl+alt+delete and  provides their AD  credentials will this act as a single sign on? first  authenticating them  through 802.1x so the port is authorized and then  authenticating them  to the AD server? or will there be some type of pop  up window that will  appear before the ctrl+alt+delete window? making  the user provide  credentials twice (annoying)
  A:  If you select "Use windows credentials" it won't prompt you for credentials. so All automatic.
  However  note that it will only login AFTER you entered the credentials on the  logon page. So you won't have network connectivity for the initial  logon, so no login scripts this way.
  With your comments I am rethinking my approach, I am considering that if the company security policy will allow it I will do machine authentication only instead of user auth.   Obviously this is not as secure since a rogue user could change the local admin password and have access to the network.  But interms of simplicity and ease of use machine authentication provides a transparent authentication mechanism that should suffice.  I would just have to sell the solution to security. 
  There a few things I need to understand before persuing this.
  - will the machine be 802.1x authenticated and on the network before the  ctrl+alt+delete? so when user logs in the machine has passed 802.1x  already and has received ip from dhcp? this is my hope.
  - is peap/mschap still the supported protocol so no physical cert is required per machine? no EAP-TLS
  - is the machine profile on the AD server used for 802.1x verification/authentication? meaning ACS will pass off to AD to verify the machine is part of the domain? or do you have to create machine profiles in ACS?
  - I have read a few articles out there about issues with machine auth with clients using XP, perhaps this was related to previous serivce packs before SP3? there was mention of registery changes required etc.
  - is there a different supplicant offered by cisco that is more robust that would provide more stability or is the cisco supplicant cost money per user license or other etc.
  Again your feedback is invaluable as I do not have the physical equipment to test with.  Unfortunatly I have to propose a solution before actually testing something which I am not particularly fond of.
  Regards,
  Eric

• What privileges or role is required for user to acces the explain plan?

  Hi mates,
  Can anyone pls tell me what privileges or roles(grants) are requred for a user to access the explain plan in oORACLE 8i 8174..
  I think the select any dictionary is not valid for explain plan accessibility in 8i.
  Cheers.

  I already had that... Just that a user (not a dba) requires access to the explain plan and I dont want to grant him a dba role.
  Are you aware of any other grant I can give to the user?

• IMQ 2.0 and LDAP for user authentication

  Using the notes at http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html
  i set up an LDAP with iMQ. The LDAP works OK for storing topics,
  connection factories, etc from jmqadmin
  The LDAP also now contains the 2 users as outlined in article 7772 -
  admin and guest.
  The broker stats up OK, but
  when I try to use
  jmqcmd query bkr -b localhost:7844 -u admin -p admin
  this is what I get:
  ERROR [B3018]: Unable to run the service admin, the broker will no longer accept connections on this service:
  com.sun.messaging.jmq.jmsserver.util.BrokerException: [B4077]: Undefined authentication type basic
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.init(AccessController.java:99)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.loadProps(AccessController.java:251)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.getInstance(AccessController.java:206)
  at com.sun.messaging.jmq.jmsserver.service.Connection.<init>(Connection.java:144)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardConnection.<init>(StandardConnection.java:49)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardService.run(StandardService.java:547)
  at java.lang.Thread.run(Thread.java:484)

  It's likely caused by trailing space after 'basic' in configuration
  imq.authantication.type=basic
  This has been fixed in MQ 3.0.

• Remove admin requirements for user font installation..

  I have been struggling with a solution to this issue.
  My web/design teams are constantly installing font packages on their windows 7. However, I cannot find a way to allow them to install fonts with their local accounts without giving them admin rights. I built a little batch file that I thought would take care
  of the issue when i deployed the machines, but it doesn't seem to be working (clears all attributes from c:\windows\fonts and gives ownership to the current user.
  Another issue is that we have decided (within group policy) to disable the admin escalation popups for standard users (whenever something requires admin access, it doesn't give them the option to type in user/pass).
  Any ideas guys? I would prefer to do this through a GP but I havent been able to find a solution
  Batch File Contents:
  attrib -r -s c:\Windows\Fonts
  takeown /f c:\Windows\Fonts /r /d n
  cacls c:\Windows\Fonts /e /t /g users:c
  cacls c:\Windows\System32\FNTCACHE.DAT /e /t /g users:c
  Registry Setting is :
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsot\Windows NT\Current Version\Fonts = full control.

  Check this post:
  http://community.spiceworks.com/topic/133185-how-can-a-standard-user-install-fonts-in-windows-7
  The last replies will show you how to solve this via GPO.
  Kind regards,
  Tim
  MCITP, MCTS, MCSA
  http://directoryadmin.blogspot.com
  This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.
  "If this thread answered your question, please click on "Mark as Answer"

• Hyperion Hub Required for External Authentication?

  Need to use external authentication for three products, Essbase 7.1.2, Analyzer and Reports. Do you have to use Hyperion Hub?

  Also, can you use mixed mode, some users using Essbase Native and some using Active Directory or a combination of Active Directory and NTML?

• Any recommendations or templates for User authentication with Flash sites?

  Looking to register, validate email registration and autheticate users to restrict access to individual accounts.  Does anyone have recommendations or templates?  It seems there would be a template out there that is generic for this purpose.

  Looking to register, validate email registration and autheticate users to restrict access to individual accounts.  Does anyone have recommendations or templates?  It seems there would be a template out there that is generic for this purpose.

• I have following requirement for USER EXIT/BADI

  If some material number is entered in Transaction  ME11 /ME12  , I have to find a user exit/BADI where I will find material group from mara based on EINA-MATNR = MARA-MATNR  if that group is within some specific group  like  CHEM ,POLY,OIL etc.  , user will not be allowed to go to next screen  and it will show message to user on the first screen itself..
  If any one has come across such requirement please help me on this asap.
  Thanks in advance
  Sachin

  Hi,
  You can use the BADI : ME_PROCESS_PO_CUST and the method
  PROCESS_ITEM  and write the code.
  it will work.
  DATA : re_data TYPE  mepoitem
  *get the item data
    CALL METHOD im_item->get_data
      RECEIVING
        re_data = re_data.
  reward if useful
  regards,
  ANJI

• Grant details required for user and schema

  Hi
  I have Oracle version - 10.2.0.4.0
  We have Schema A (Lot of objects exist) and User B (No objects exist - acts as application user to access objects in other schema).
  I have listed below doubts.
  1) I want to know the method to find the list of users have access to objects in Schema A and privileges granted for the objects in Schema A
  2) I want to know the method to find the list of grants provided to the schema objects to the user B

  user1368801 wrote:
  Thanks ajallen.
  It really helped me.
  one more question. I think DBA_TAB_PRIVS gives details for tables only right.
  What about other objects like procedures, views etc. Go back to the Reference Manual and re-read the description of DBA_TAB_PRIVS. Re-read the specific description of TABLE_NAME.
  >
  Actually I am exporting 3 schemas (A,B,C) from production and importing them to test environment (A1, B1,C1) using fromuser and touser option.
  Now I have to properly remap all the privileges, grants, synonyms etc.
  There are so many objects and I am wondering how to remap properly.
  It may be simple, as a newbie, your direction will be more helpful