Reverse Proxy + Policy Agent generates unwanted Basic Authentication

Similar Messages

• 3.1EA1: proxy client used allows only BASIC authentication

  The proxy client used only use BASIC authentication. The problem the proxy we're using uses NTLM authentication, and the user/password are the domain user/password, thereby very dangerous to send using a non-secure authentication mode as BASIC (a simple base64 enconding of user and password...)
  Edited by: user8381214 on Oct 21, 2011 3:52 AM

  Hi user8381214 ,
  Can you give me more details?
  Note that there are two main types of proxy connection:
  1/username1[username2]/password
  and
  2/username1/password with proxyClient username2/password
  Which one is affected?
  -Turloch
  SQLDeveloper team
  If you would prefer this to be off the forum my email address is:
  turloch<dot>otierney<AT>oracle.com

• Exchange 2013 pre-authentication & Reverse Proxy Options

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,
  How about IIS ARR?
  http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
  http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• WebServer 6.1 SP3 SSL reverse proxy to Sun One Application Server 7

  I have an application in the appserver7 that requires SSL authentication. I have already installed a self cert in the appserver7, and the authentication works fine when I browse directly to the appserver.
  The appserver7 has both listener for port 80 and 443 enabled.
  I'm currently setting up a webserver (WebServer 6.1 SP3) to act as a reverse proxy to the appserver7. The reverse proxy for the basic jsp pages found in the appserver worked fine.
  When I try to access the login page, in the appserver, in ssl mode, I am unable to do so. I then try changing the obj.conf to the following, from http to https:
  <Object name="passthrough">
  ObjectType fn="force-type" type="magnus-internal/passthrough"
  Service fn="service-passthrough" method="(GET|HEAD|POST)" servers="https://172.2
  8.48.53"
  However, it still doesn't work.
  Do I need to install a self cert in the webserver and enable the ssl listener as well?
  Do I need to install any reverse proxy addon for the appserver? Any
  setup for the obj.conf in the appserver?
  Any ideas how to get this done?
  Thanks.
  Mac.

  The Web Server 6.1 SP3 Reverse Proxy Plugin is supported, but it sounds like you're trying to do something that simply isn't possible.
  If you want the Reverse Proxy Plugin to perform SSL mutual authentication with the Application Server using the client's certificate, that's impossible due to the nature of SSL mutual authentication. If the plugin could impersonate the client, then SSL would be vulnerable to MITM (Man In The Middle Attacks). Fortunately, SSL isn't vulnerable to such attacks because the plugin doesn't know the client's private key.
  If you simply want the Reverse Proxy Plugin to pass information about the client's certificate along to the Application Server, that hapens automatically. There's nothing special to configure. Note that the plugin will not authenticate to the Application Server in this case. Rather, it will simply copy the X.509 certificate into the proprietary Proxy-auth-cert: HTTP request header.
  The application running on the Application Server can inspect the Proxy-auth-cert: header using standard Servlet APIs. Alternatively, you can use Application Server 7's auth-passthrough AuthTrans SAF to cause the contents of the Proxy-auth-cert: header to be copied to the javax.servlet.request.X509Certificate Servlet attribute.

• Exchange 2013 using ARR reverse proxy OWA options won't open

  Hi,
  I've been using the exchange team's blog post (http://blogs.technet.com/b/exchange/archive/2013/08/05/part-3-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx)
  as a guidelin on configuring my ARR deployment in my lab.
  Everything was working perfectly right until i got the last part of the blog on restricting the pattern matches.
  The rewrite rules all work fine and everything is working as expected with the excpetion of the fact that i cannot access the options in OWA. ECP itself works great if i access it via the
  https://ecp.domain.com/ecp url, but as soon as i use the https//mail.domain.com/ecp it just wont display anything.
  Looking at the failed request logs it just shows that it executes a 302 rewrite to ecp.domain.com, which is what i would expect it to base done rewrite rule matching
  https://mail.domain.com/ecp to the ecp.domain.com server farm.
  If i look at the iis logs it looks like it's getting into some sort of loop (the section below is about a 10% of a single attempt to access the options pages:
  2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp/ rfr=owa&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6983c585-b0ea-4fd0-9bb1-fc747ee8e992 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
  - 302 0 0 15
  2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa/&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=d32a3a4f-d8a6-4712-91d4-56360be33793 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
  - 302 0 0 0
  2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa//&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=14797897-f1ad-454a-b73c-fde041a43d2b 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
  - 302 0 0 0
  Did anyone ever run into something like this? Or have an idea where i may have made a mistake? I've tried everything i could think of.
  The rewrite rules i have in place are basically exactly the same as the exchange team's blog but just in case i overlooked somehthing, please se the image below.
  thanks in advance for your time

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,
  How about IIS ARR?
  http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
  http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• SPNego, Reverse Proxy?

  We all know that we should be switching to SPNego and I am trying to set up a new portal with it now. 
  My question is, if we are to use SPNego now, how does that act as a reverse proxy?  This is supposed to be replacing IISProxy, right?

  Hi David,
  I guess is a little late... SPNego is not for reverse proxying.
  It is used for authentication purpouses.
  Kind Regards,
  Gerardo J

• IIS Reverse Proxy and Basic Authentication

  Hi,
  we've currently put a WebAS 6.40 serving a BSP Application in our Appl-DMZ. For the access via Web the IIS Reverse Proxy is used, which works fine as long as you use a service for which a user is provided (in SICF). But if you don't provide a user in the service (in order to debug the BSP Application) you have to authenticate yourself using Basic Authentication (Browser Popup) which does not work (the popup returns and returns ...)
  I' ve browsed the forums and it seems that the IIS Reverse Proxy does not support (the forwarding) of Basic Authentication "requests".
  So my question, does someone exactly know if the IIS Reverse proxy supports Basic Authentication or not ?
  Thanks,
  Markus

  Hello Markus,
  1. have you checked out Alon Weinstein's Weblog <a href="/people/sap.user72/blog/2005/02/23/the-reverse-proxy-series--part-2-iis-as-a-reverse-proxy">The Reverse Proxy Series -- Part 2: IIS as a reverse-proxy</a>?
  2. Is the IIS a must? Can you give Apache or SAP Web Dispatcher a try. Prakash Singh wrote a Weblog <a href="/people/prakash.singh4/blog/2005/08/16/how-to-setup-webdispatcher-to-load-balance-portal-in-a-clustered-environment">How to setup webdispatcher to load balance portal in a clustered environment</a>.
  Regards
  Gregor

• Proxy for Basic Authentication

  Hi,
  Can someone point out if I am on the right track about this ?
  I have an application which uses Basic Authentication as its authentication mechanism.I have defined the Application for single sign-on using the External Applications option in the Portal Builder.
  I have read further down in the documentation (Configuring and Administering External Applications) http://download.oracle.com/docs/cd/B10464_01/manage.904/b10851/ext_apps.htm#1009009
  that there is something called Proxy Authentication for Basic Authentication Applications.
  Can someone explain this to me as I am unsure as to whether I need to set this proxy up as well ? The diagram in the documentation appears to be what I am trying to do.
  As I mentioned in a previous post Basic Authentication doesn't appear to be working for me. The very first time I authenticate I get straight into the application but any attempts after that results in the Basic Authentication dialog box appearing even though I have checked the "Remember my login information" tick box.
  Any ideas ?
  Thanks,

  Thank you for the response. I tried with a pass-through service account but could not get it working.
  This is what I did:
  1. I have a SOAP business service with WS-Policy with username security assertion.
  2. I created a SOAP business service with the wsdl. OSB EPE editor said OSB does not support WSSE 1.2 policies. I extended my OSB domain to include OWSM and in the business service policy tab, selected OWSM policy option and added "oracle/wss_username_token_client_policy". (Now I am not sure how the user credentials in HTTP BASIC (headers) will be propagated to WS-Security headers)
  3. I created a pass through service account and added this service account in the SOAP business service. I am able to configure service account only when I choose HTTP BASIC authentication in the business service. This did not propagate the username from HTTP to WS-Security. I see errors in the log like "WSM-00015 : The user name is missing.". Looks like wss_username_token_client_policy is looking for username in csf-key map. I do not know this map gets populated internally. If I have to do it programmatically I saw there is java code to set BindingProvider.USER_NAME in the request context. How do I do this from OSB designer ?
  4. I tried creating a wrapper proxy around the secure SOAP business service and include the wrapper proxy in my main proxy but could not get it working. I get lof of NullPointers.
  I am missing something. Can you please help ?

• JDeveloper Web Service Client/Proxy Basic Authentication

  Hi I recently migrated a 10g Web Service to an 11g Web Service that uses basic authentication.
  I then generated the client/proxy using the WSDL for my consumer application in JDeveloper 11g. however I cannot find any functions that will allow me to set the username and password to access the web service.
  For instance, in 10g Client, I simply had to this:
  myPort = new SoapHttpPortClient();
  myPort.setUsername("username");
  myPort.setPassword("password");
  I am not sure how I do the same in the generated Web Service client in 11g.
  Thanks in advance.

  Thanks Frank. I was able to get it to work!
  I did google it but I always add "jdeveloper 11g" in my searches so that must be why this did not come up. :) Thanks again!

• Distributed Authentication Service Server or Reverse Proxy

  My environment have two layers firewall in place. The DMZ is sitting on the first-tier firewall as general web sites while I plan to put Access Manager server on the second-tier firewall. As we know that, AM have to send SSO token back to the browser after authenticated. In this configuration, based on security policy we don't allow direct connection between the browser and AM. That's why we put DSSS or Reverse proxy on the DMZ zone and act as the gateway for internal & exteranl traffic.
  Can anyone post the comparison, pros and cons between DSSS and Reverse Proxy? Which one is better in term of features and easy-to-implement?
  Finally, Is there any other alternatives if don't want to use both DSSS and Reverse proxy? I ask this question because AM will be single point of failure of the whole system. If AM have been attacted from whether direct or indirect, all services will be unaccessable.
  Best Regards,
  mthekid

  Bernhard,
  Thanks for your response. Because my major concern is security so I want to prevent denial of service on Access Manager. It look like writing my own dist-auth equal mechanism will help. However, I have 3 different platforms in single sign-on environment. Does this mean I have to create 3 dist-auth-like ones ?
  Do you think if they are worth to do (I hope I can find documentation and guideline at http://docs.sun.com) ? Please tell me frankly. I am semi-technical and presales. If they are too complex and time consuming, I may decide to with dist-auth.

• Windows Intergrated Authentication with reverse proxy issue with Safari

  Hi All
  I having a application which has Windows Integrated Authentication, for Internet users we are having a reverse proxy which has a IIS server which will authenticate using basic authentication then redirected to the actual application, every thing works as expected in IE and firefox but in safari there is a second login dialog box appears. When I did a packet capture using wireshark I noticed that in IE and FF the basic authentication which is carried forward to the actual application from IIS server but in Safari there is a NTLM negotiation in between because there is a 401 response so my application asks for on more login dialog. Dose any one knows why safari is behaving like this?
  Thanks & Regards
  Karthikeyan Vaithilingam

  I found a related post https://discussions.apple.com/thread/3274071?start=0&tstart=0. There is an issue with basic authentication and Http Redirect.

• Custom Authentication Issue with Policy Agent

  Hi,
  I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
  2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
  2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
  2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Neeraj

  Hi Neeraj,
  I still have not been able to resolve that issue. Let me know If you find a solution for the same.
  Thanks,
  Srinivas

• Add Basic Authentication to Proxy Services in OSB

  Hi,
  I need add Basic Authentication (browser pop-up with usr and pwd) to a proxy service.
  ¿how can I do that?
  Thanks!!

  For an HTTP service choose the HTTP Transport tab and select Basic for the authentication property.

• Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

  Hi
  I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
  The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
  However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
  The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
  Wondering if anyone has seen this before?
  Here is sanitized output from a trace on the POST and resulting response.
  POST /oslp/?sunwMethod=GET HTTP/1.1
  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
  Accept-Language: en-au
  Content-Type: application/x-www-form-urlencoded
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
  Host: sco88342744.corp.qed.qld.gov.au
  Content-Length: 3496
  Connection: Keep-Alive
  Cache-Control: no-cache
  X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
  LARES=<snip>
  HTTP/1.1 200 OK
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
  HTTP/1.1 302 Found
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  X-AspNet-Version: 1.1.4322
  Location: /oslp/user/signon.aspx
  Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: -1
  Content-Type: text/html; charset=utf-8
  Content-Length: 139
  <html><head><title>Object moved</title></head><body>
  <h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
  </body></html>

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2

• Policy agent using https redirect to AM for authentication

  We are using Access Manager 6 2005Q1.
  Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
  Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
  All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
  Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
  In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
  However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
       2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
       2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
       2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
       2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
       2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
  Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
  Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
  From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
  Any help with this configuration issue is appreciated.

  Bernhard,
  From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
  Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
  We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
  Craig