Secure AD Bind
Hi,
Struggling a bit with a module. I'm trying to do a secure bind to AD with not much success. I can do a simple bind just fine but not secure. I have used this module before in other environments and it has worked flawlessly. In this new environment however I'm stuck and asking for your help. Take a look and tell me if you see something wrong with this bind method:
* <p>Basic bind for doing AD queries against domain simple bind assumes no
* context </p> @param domain the Domain controller you're authenticating
* against @return DirContext
public DirContext ldapBind(String domain, String username, String password,
boolean secure) throws NamingException, IOException {
Object retVal;
DirContext ctx = null;
Hashtable env = new Hashtable(8);
String authType = null;
authType = secure ? "DIGEST-MD5" : "simple";
// Set the context & provider
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, domain);
env.put(Context.SECURITY_AUTHENTICATION, authType);
// Request medium-strength cryptographic protection
env.put("javax.security.sasl.qop", "auth");
if (secure) {
env.put("javax.security.sasl.strength", "high, medium");
// provide a username/password
byte[] pass = password.getBytes();
Object pword = secure ? pass : password;
env.put("java.naming.security.principal", username);
env.put(Context.SECURITY_CREDENTIALS, pword);
env.put(Context.REFERRAL, "follow");
if (ADUtil.debug) {
// env.put("com.sun.jndi.ldap.trace.ber", System.out);
// Create the initial directory context
ctx = new InitialDirContext(env);
return ctx;
}Thanks in advance,
-Stumped
adler_steven wrote:
What do you mean "it doesn't work" ?
Are you getting authentication exceptions ? perhaps LDAP Error 49 with an Active Directory error code of 52e ?Yes of course. How silly of me not to include the error:.
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece>
If the same code worked in one environment & not the other, then one has to assume the problem lies with teh different environments.
Are user's using the same format for authentication ? Remember that you cannot use LDAP Distinguished names (CN=Albert Einstein,OU=Research,DC=Antipodes,DC=Com") to authenticate using Digest-MD5, you can only use NTLM style domain names (ANTIPODES\AlbertE) or User Principal Names ([email protected])
Yes I was aware with *simple* the expected format for username is the distinguishedName and with *DIGEST-MD5* it is userPrincipalName. I have verified both using ADSI from the domain controller.
The username and password are definitely correct as they are the ones I use to remote desktop to the domain controller.
>
Also, each user account needs to have their password stored using reversible encryption. (The setting is exposed in the Active DIrectory Users & Computers snap-in under the Account Tab for each user)This I was not aware of, good to know. I looked and this was not checked. I checked it and re-ran the test and still getting the same error from above. I'm in agreement with you that the problem does lie with the different environments. I just wish I had a way to have more a more meaningful error to pass off to my System Admin's to take corrective action.
Similar Messages
-
Domain Users AD group disappearing from SharePoint security
After applying SharePoint 2010 SP2 and the September 2014 cumulative update (KB 2883103) to our SP2010 farm, we've discovered the system is automatically removing the 'Domain Users' active
directory group from SharePoint security. It's not affecting any other AD groups or users or when Domain Users is a member of a SharePoint group. Only when Domain Users has been explicitly added to a site, library, list or document.
For example, we give Domain Users access to the root of most our site collections and then break inheritance for certain libraries or lists that need more security. Now Domain Users has disappeared from every site. I can say
with 100% confidence that this has not been done by anyone in the organization. Nothing else changed besides SP2 and Sept2014 CU.
Yesterday we fixed a few sites by re-adding Domain Users. This morning those were missing again, so it must be a timer job or other cleanup process that is causing this. Again, this does not affect SharePoint groups/membership or any other
AD object, only Domain Users.
Has anyone ran into this issue or have any suggestions on a resolution? We have enabled audit logging but have not seen any related logs yet.Sometime between noon and 1:00pm this afternoon we lost the Domain Users group again from all sites where we re-added it. Audit logging is showing this for one particular site:
{072c340a-42cb-4861-a182-38102b53bc52}
{072c340a-42cb-4861-a182-38102b53bc52}
Site
System Account <SHAREPOINT\system>
2014-10-21T18:53:52
Security Role Bind Update
SharePoint
<roleid>-1</roleid><principalid>DOMAIN\domain users</principalid><scope>67A6138A-CBFA-42BD-87EF-86D558047D63</scope><operation>ensure removed</operation>
Does anyone know if any additional logging can be enabled to see WHY this is occurring?
So far our solution has been to setup another AD security group and nest the domain users security group inside. Not exactly a solution but at least a work around. -
i am using a custom binding in the BTS Adapter with the following elements (similar to TransportWithMessageCredential with both the client and the server certs)
encoding (soap11)
https transport
Security : CertificateOverTransport
Problem: the request is sent successfully, but when i receive the response in BizTalk i get the following error
System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. ,after turning on tracing in the WCF Trace the following error is present "Tokens of that type
cannot be accepted according to current security settings. "
Solutions tried
1) Changed the security to MutualCertificate , this time request also fails with the following error message The remote endpoint did not provide a domain name system (DNS) claim and therefore did not satisfied DNS identity 'xxxx.com'.
This may be caused by lack of DNS or CN name in the remote endpoint X.509 certificate's distinguished name.
Binding configuration
<behaviors>
<endpointBehaviors>
<behavior name="EndpointBehavior">
<clientCredentials>
<clientCertificate findValue="XXXXXXXXXXXXXXX" x509FindType="FindByThumbprint" />
<serviceCertificate>
<defaultCertificate findValue="XXXXXXXXXXXX" storeName="TrustedPeople" x509FindType="FindByThumbprint" />
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior" />
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<clear />
<binding name="XXXXXXXXX">
<textMessageEncoding messageVersion="Soap11" />
<security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<secureConversationBootstrap />
</security>
<httpsTransport />
</binding>
</customBinding>
</bindings>
Thanks -MadhuPlease refer to the similar discussion:
http://social.msdn.microsoft.com/Forums/en-US/6a3d38ee-30ca-43fb-b906-6e95808df69d/cannot-find-a-token-authenticator-for-the-systemidentitymodeltokensx509securitytoken-token?forum=wcf -
We have a user with site that has had problems with permissions on it 4 times. On this site are 13 lists, each one with very specific permissions granted to external users. 4 times those permissions have gone away and been replaced by the parent's site permissions.
The first time the user admitted that she didn't understand what Inherited meant in this case, and that she had caused the problem. So we did some training with her and then she recreated all the permissions on her 13 lists, (and there are a lot of them.
So the next time it happened we assumed it was her again clicking the wrong button. She swore up and down that in this case she hadn't done it, and we didn't believe her. So she had to once again recreate all of these permissions. We also
walked her through again to not click the inherit button.
The third time it happened I was beginning to doubt that she did it. She is not a completely computer illiterate person, and as much work as it is for her to recreate this it's a lesson you don't soon forget. So we enabled security logging on
that site collection figuring at least the next time it would show who did what.
So on Tuesday it happened again. She claims that at 6am all the permissions were fine on all of these lists, but at 1pm she got calls from the external users saying they couldn't get in. She checked then and could see that all permissions were gone.
So I pulled the security logs, and looked through the ULS logs as well. I can see the following lines in the security logs:
Helen <i:0#.w|tor\tzihf>
legal/cases
2015-03-03T16:00:03
Security Role Bind Update
SharePoint
<roleid>-1</roleid><principalid>3396</principalid><scope>6804231A-4427-4980-9DC9-0DBC527BB590</scope><operation>ensure removed</operation>
Steve <i:0#.w|tor\mesx>
legal/cases/Licka Francis
2015-03-03T18:21:37
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3418</principalid><scope>562EB4A3-3447-4012-86D3-18DFF7DF4D4D</scope><operation>ensure added</operation>
Steve <i:0#.w|tor\mesx>
legal/cases/Licka Francis
2015-03-03T18:21:37
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3419</principalid><scope>562EB4A3-3447-4012-86D3-18DFF7DF4D4D</scope><operation>ensure added</operation>
Helen <i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:54
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3338</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
Helen <i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:54
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3335</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
Helen<i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:55
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3341</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
Helen<i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:55
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3336</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
These aren't all, but a good snippet. The crazy thing is it only lists 3 of the 13 lists. If someone had clicked on "inherit" for each separate list, wouldn't that be listed in the security logs 13 times? Why would it only record
3 of the 13? And these are all changes that were made on Monday night, not on Tuesday morning when she says they were all set up correctly.
By the way I can see her accessing a couple of the lists in the ULS logs at 6am, but not for all of them. Not enough to have wiped permissions on all of them.
I can't believe this user clicked on the permissions for 13 different lists and clicked on inherit, knowing that she was going to have to reset them all up again from scratch. I think something else is happening with these lists but I am completely
stumped as to what else it could be. Any suggestions would be greatly appreciated.
Thanks
TedThere have been reports of permissions automatically being reset in the past. What I would strongly suggest is for you to turn on Site Collection Auditing, enable the Permissions and, if you need to monitor changes to SharePoint Groups, the "Edit Items"
flag.
This way when it happens again, you can tell exactly who did it.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Can i use configuration like this
<ws2007HttpBinding>
<binding>
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="UserName"
negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
</binding>
</ws2007HttpBinding>
This is the client side code to prepare channel for the WCF service
//f is instance of WSTrustChannelFactoryf.Credentials.UserName.UserName = username;
f.Credentials.UserName.Password = password;
f.Credentials.ClientCertificate.Certificate = "I am assigning the client certificate here";f.Open();
var channel = f.CreateChannel(new EndpointAddress(endpointAddress)) as WSTrustChannel;
Server side, I have custom SecurityTokenHandlers for both UserNameSecurityTokenHandler (to validate username and password) as well as X509SecurityTokenHandler (to validate client cert)
But in this case, only my custom X509SecurityTokenHandler is getting called. So my question is whether it is possible to use transport security "certificate" as well as message security "username" in combination? In my opinion it
do not work.
ViBiHi vkbishnoi,
By default, the wsHttpBinding binding provides HTTP communication. When configured for transport security, the binding supports HTTPS communication. HTTPS provides confidentiality and integrity protection for the
messages that are transmitted over the wire. However the set of authentication mechanisms that can be used to authenticate the client to the service is limited to what the HTTPS transport supports. WCF offers a
TransportWithMessageCredential security mode that is designed to overcome this limitation. When this security mode is configured, the transport security is used to provide confidentiality and integrity
for the transmitted messages and to perform the service authentication. However, the client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by
the message security mode for the client authentication while keeping the performance benefit of transport security mode.
So we can use the following configuration:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="UserName"
negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
In one word is that for this binding credentials are passed with the message and message protection and server authentication are provided by the transport layer.
Best Regards,
Amy Peng
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Is there something wrong with my directory server replica?
Yesterday I spun up a replica of my OD Master which I had just rebuilt clean from scratch. Everything SEEMS fine, but the GUI reports a status I did not expect:
As you can see, the master has its own IP listed twice, and there are 3 IP's for the replica - only the first is valid for my network.
Is this anything to worry about? It's not what I expected to see when replication was complete. Here's the output from serveradmin settings dirserv
dirserv:selfWrite = yes
dirserv:locales = _empty_array
dirserv:caServer = yes
dirserv:MacOSXODPolicy:Directory Binding = yes
dirserv:MacOSXODPolicy:Configured Security Level:Binding Required = no
dirserv:MacOSXODPolicy:Configured Security Level:Advisory Client Caching = no
dirserv:MacOSXODPolicy:Configured Security Level:Man In The Middle = no
dirserv:MacOSXODPolicy:Configured Security Level:Packet Signing = no
dirserv:MacOSXODPolicy:Configured Security Level:No ClearText Authentications = no
dirserv:MacOSXODPolicy:Configured Security Level:Packet Encryption = no
dirserv:kerberizedRealmList:availableRealms:_array_index:0:dirNodePath = "/LDAPv3/127.0.0.1"
dirserv:kerberizedRealmList:availableRealms:_array_index:0:realmName = "SERVER.DOMAIN.TLD"
dirserv:kerberizedRealmList:defaultRealm = "SERVER.DOMAIN.TLD"
dirserv:PWPolicyInfo:requiresMixedCase = no
dirserv:PWPolicyInfo:passwordMinLen = 0
dirserv:PWPolicyInfo:mustChangeAtFirstLogin = no
dirserv:PWPolicyInfo:passwordMustHaveAlpha = no
dirserv:PWPolicyInfo:requiresSymbol = no
dirserv:PWPolicyInfo:passwordNotAccount = no
dirserv:PWPolicyInfo:passwordDisableFailedLogins = 0
dirserv:PWPolicyInfo:passwordHistoryLen = 0
dirserv:PWPolicyInfo:passwordDisableNumDaysInactive = 0
dirserv:PWPolicyInfo:passwordDisableDate = 0.000000
dirserv:PWPolicyInfo:passwordExpireDays = 0
dirserv:PWPolicyInfo:passwordMustHaveNumber = no
dirserv:PWPolicyInfo:passwordDisableNumDays = 0
dirserv:LDAPDefaultPrefix = "dc=server,dc=domain,dc=tld"
dirserv:defaultKerbRealmName = "SERVER.DOMAIN.TLD"
dirserv:masterConfig:replicas = _empty_array
dirserv:LDAPSettings:useSSL = yes
dirserv:LDAPSettings:LDAPServerBackend = "config"
dirserv:LDAPSettings:LDAPDataBasePath = "/var/db/openldap/openldap-data"
dirserv:LDAPSettings:maxSearchResults = "11000 size.prtotal=unlimited"
dirserv:LDAPSettings:LDAPSSLIdentityName = "*.domain.tld"
dirserv:LDAPSettings:LDAPTimeoutUnits = "seconds"
dirserv:LDAPSettings:LDAPSearchBase = "dc=server,dc=domain,dc=tld"
dirserv:LDAPSettings:searchTimeout = 60
dirserv:LDAPSettings:LDAPSSLSerialNumber = "2246"
dirserv:treeConfiguration:odTree:_array_index:0:PrimaryMaster = "server.domain.tld"
dirserv:treeConfiguration:odTree:_array_index:0:IPaddresses:_array_index:0 = "10.0.1.11"
dirserv:treeConfiguration:odTree:_array_index:0:IPaddresses:_array_index:1 = "10.0.1.11"
dirserv:treeConfiguration:odTree:_array_index:0:GUID = "7BACB764-6A2C-451D-BF8D-74654B4FFBB1"
dirserv:treeConfiguration:odTree:_array_index:0:ReplicaName = "Master"
dirserv:treeConfiguration:odTree:_array_index:0:treeSource = "PrimaryMaster"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:IPaddres ses:_array_index:0 = "10.0.1.11"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:IPaddres ses:_array_index:1 = "10.0.1.11"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:GUID = "7BACB764-6A2C-451D-BF8D-74654B4FFBB1"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:ReplicaN ame = "server.domain.tld"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:Replicas :_array_index:0:GUID = "B15C3B08-2C85-44ED-B18F-403E1B1262AF"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:Replicas :_array_index:0:ReplicaName = "server4.domain.tld"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:IPaddres ses:_array_index:0 = "10.0.1.22"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:IPaddres ses:_array_index:1 = "172.16.118.1"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:IPaddres ses:_array_index:2 = "192.168.178.1"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:GUID = "B15C3B08-2C85-44ED-B18F-403E1B1262AF"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:ReplicaN ame = "server4.domain.tld"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:Replicas :_array_index:0:GUID = "7BACB764-6A2C-451D-BF8D-74654B4FFBB1"
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:Replicas :_array_index:0:ReplicaName = "server.domain.tld"
I can see that the settings do indeed jive with what the GUI reports. I just don't know how or why it would have been configured that way. Is this configuration going to be problematic? Should I attempt to address it now? Would changing the replica array be destructive to the current OD database? I just got done rebuilding the dang thing from the ground up because of unrecoverable corruption, I don't want this to be the beginning of a new problem.
Thanks for looking.
Message was edited by: MustardPartyUsing the battery level meter in this manner is comparable to using your car's fuel gauge to calculate miles per gallon. The only thing that matters is the total amount of operating time from full charge to auto-shutdown.
Use the wall-mount charger that came with the iPad and charge overnight. Do NOT use an iPod/iPhone charger. Do NOT use a computer's USB port. Then, operate it normally until auto shut-down (ignore any low level alerts that may appear). An irony is that doing that test to determine the total operating time is also the procedure necessary to calibrate the battery level meter.
I'm not claiming that you do not have a problem. I am stating, however, that we don't yet know. If the above test does, in fact, indicate a problem, read this.
Also, according to Apple:
Use Your iPad Regularly
For proper reporting of the battery’s state of charge, be sure to go through at least one charge cycle per month (charging the battery to 100% and then completely running it down).
Elsewhere, Apple elaborates and explains that two half-discharges (or four quarter-discharges, etc.) equals one full discharge. -
X509 message level authentication - Unable to validate identity assertions
Hi All,
I am creating a proxy service that will authenticate a soap request with incoming x509 certificate.
I configured weblogic server following the below blog post
http://tim.blackamber.org.uk/?p=831
I also setup SSL and keystore tab in the weblogic server by following steps in the the below URL
http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
In my proxy service I am using pre-defined policy "Auth.xml"
The proxy service is attached below
I am running the proxy service from test console. I have a security provider created pointing the keystore and selected while running the proxy service from test console ( no user name/password provided)
I was expecting that proxy service will read the security token and map the CN name correspons to the security token key (my default User name mapper attribute is CN) to an user created in weblogic server and able to authenticate it.
But I am getting following error. Please suggest.
<An error ocurred during web service security inbound request processing [error-code: Fault, message-id: 1345281693794990467-5e61805e.1324a2f888f.-7f8a, proxy: myPrototypes/ProxyService/ProxyServiceExtBizV2, operation: null]
--- Error message:
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><Code xmlns="http://www.w3.org/2003/05/soap-envelope"><Value>env:Sender</Value><Subcode><Value>wsse:InvalidSecurity</Value></Subcode></Code><Reason xmlns="http://www.w3.org/2003/05/soap-envelope"><Text xml:lang="en-US">Unable to validate identity assertions.</Text></Reason></env:Fault></env:Body></env:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions.
* at weblogic.wsee.security.wss.SecurityPolicyValidator.doIdentity(SecurityPolicyValidator.java:144)*
* at weblogic.wsee.security.wss.SecurityPolicyValidator.processIdentity(SecurityPolicyValidator.java:107)*
at weblogic.wsee.security.wss.SecurityPolicyValidator.processInbound(SecurityPolicyValidator.java:78)
at weblogic.wsee.security.WssServerPolicyHandler.processInbound(WssServerPolicyHandler.java:54)
at weblogic.wsee.security.WssServerPolicyHandler.processRequest(WssServerPolicyHandler.java:30)
at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:74)
at com.bea.wli.sb.security.wss.wls.Wls92InboundHandler.processRequest(Wls92InboundHandler.java:164)
at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:590)
at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:332)
at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:79)
at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:137)
at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:135)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
proxy service definition:
<?xml version="1.0" encoding="UTF-8"?>
<xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:con="http://www.bea.com/wli/sb/services/security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:con1="http://www.bea.com/wli/sb/pipeline/config" xmlns:con2="http://www.bea.com/wli/sb/stages/logging/config" xmlns:con3="http://www.bea.com/wli/sb/stages/config" xmlns:con4="http://www.bea.com/wli/sb/stages/publish/config">
<ser:coreEntry isProxy="true" isEnabled="true">
<ser:serviceProvider ref="myPrototypes/x509keyprovider"/>
<ser:security>
<con:inboundWss processWssHeader="true"/>
</ser:security>
<ser:binding type="abstract SOAP" isSoap12="true" xsi:type="con:AnySoapBindingType" xmlns:con="http://www.bea.com/wli/sb/services/bindings/config"/>
<ser:monitoring isEnabled="false">
<ser:aggregationInterval>10</ser:aggregationInterval>
<ser:pipelineMonitoringLevel>Pipeline</ser:pipelineMonitoringLevel>
</ser:monitoring>
<ser:reporting>true</ser:reporting>
<ser:logging isEnabled="true">
<ser:logLevel>debug</ser:logLevel>
</ser:logging>
<ser:sla-alerting isEnabled="true">
<ser:alertLevel>normal</ser:alertLevel>
</ser:sla-alerting>
<ser:pipeline-alerting isEnabled="true">
<ser:alertLevel>normal</ser:alertLevel>
</ser:pipeline-alerting>
<ser:ws-policy>
<ser:binding-mode>service-policy-bindings</ser:binding-mode>
<ser:policies>
<ser:service-policy>
<ser:predefined-policy>Auth.xml</ser:predefined-policy>
</ser:service-policy>
</ser:policies>
</ser:ws-policy>
</ser:coreEntry>
<ser:endpointConfig>
<tran:provider-id>http</tran:provider-id>
<tran:inbound>true</tran:inbound>
<tran:URI>
<env:value>/myPrototypes/ProxyService/ProxyServiceExtBizV2</env:value>
</tran:URI>
<tran:inbound-properties/>
<tran:all-headers>true</tran:all-headers>
<tran:provider-specific>
<http:inbound-properties/>
</tran:provider-specific>
</ser:endpointConfig>
<ser:router>
<con1:pipeline type="request" name="PipelinePairNode1_request">
<con1:stage name="stage1">
<con1:context/>
<con1:actions>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7e09</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$header</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:request side:hdr is</con2:message>
</con2:log>
<con4:route>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7866</con3:id>
<con4:service ref="myPrototypes/BizService/BizServiceExtBiz" xsi:type="ref:BusinessServiceRef" xmlns:ref="http://www.bea.com/wli/sb/reference"/>
<con4:outboundTransform/>
</con4:route>
</con1:actions>
</con1:stage>
</con1:pipeline>
<con1:pipeline type="response" name="PipelinePairNode1_response">
<con1:stage name="stage1">
<con1:context/>
<con1:actions>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7cd6</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$header</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:hdr is</con2:message>
</con2:log>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79d3</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$outbound</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:outbound is</con2:message>
</con2:log>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79b6</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$inbound</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:inbound is</con2:message>
</con2:log>
</con1:actions>
</con1:stage>
</con1:pipeline>
<con1:flow>
<con1:pipeline-node name="PipelinePairNode1">
<con1:request>PipelinePairNode1_request</con1:request>
<con1:response>PipelinePairNode1_response</con1:response>
</con1:pipeline-node>
</con1:flow>
</ser:router>
</xml-fragment>
Edited by: 818591 on Sep 8, 2011 4:47 PMFor anyone watching this thread for any relevant information,
after adding sign.xml policy, it started working -
SAML2 Service Provider not writing artifact key to cache
I have been following http://biemond.blogspot.com/2009/09/sso-with-weblogic-1031-and-saml2.html to attempt to get Single Sign On working.
I created 2 new WebLogic 10.3.3 domains using an RDBMS Security Store (They are both pointing to the same RDBMS Security Store). I went through the guide, and after some time and troubleshooting was able to complete all the steps. I then created a very very basic JSF2 application that basically has a secured blank page. I set up this URL in the Service Provider configuration so that when I attempt to browse to the url http://localhost:7002/saml-test/ (7002 is the port I assigned the second server, it is not ssl) it does successfully attempt to redirect to the Identity Provider for authentication. However; when it redirects I get a 403 Forbidden Error.
Based on the logs it appears that the Service Provider is writing the artifact key to "the cache" (logs aren't specific, but I'm assuming DemoIdentity.jks?). But when the Identity Provider attempts to retrieve the key from the cache it finds nothing and returns null, causing an exception. I also attempted to view the DemoIdentity.jks contents by using:
keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
And the key specified in the logs is not there. I also looked at all the data in the RDBMS database and could not find the key there. I'm assuming I am just missing some basic understanding of what is going on here, but I've been pulling my hair out with this thing for a week, and have had no luck figuring it out.
Below are the logs: (Note: I removed some of the leading debug info like time and date to save space)
Service Provider Logs:
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <SAML2Filter: Processing request on URI '/saml-test/index.xhtml'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <getServiceTypeFromURI(): request URI is '/saml-test/index.xhtml'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <getServiceTypeFromURI(): request URI is not a service URI>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <getServiceTypeFromURI(): returning service type 'SPinitiator'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <SP initiating authn request: processing>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <SP initiating authn request: partner id is null>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667052> <BEA-000000> <put: item with key _0x55e0aecb9df9ad1a2061c408ed8fb7a6 is saved in cache.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667052> <BEA-000000> <SP initiating authn request: use partner binding HTTP/Artifact>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <put: item with key AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI= is saved in cache.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <store saml object org.opensaml.saml2.core.impl.AuthnRequestImpl@1d0397d, BASE64 encoded artifact is AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI=>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <post artifact: false>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <local ARS binding location: http://localhost:7001/saml2/idp/sso/artifact>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <post form template url: null>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <URL encoded artifact: AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI%3D>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <URL encoded relay state: null>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <artifact is sent in http url:http://localhost:7001/saml2/idp/sso/artifact?SAMLart=AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI%3D>
Identity Provider Logs:
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <SAML2Servlet: Processing request on URI '/saml2/idp/sso/artifact'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <getServiceTypeFromURI(): request URI is '/saml2/idp/sso/artifact'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <getServiceTypeFromURI(): service URI is '/idp/sso/artifact'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <getServiceTypeFromURI(): returning service type 'SSO'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <Request URI: /saml2/idp/sso/artifact>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <Method: GET>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <Query string: SAMLart=AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI%3D>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Accept: */*>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Accept-Language: en-us>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 3.0.04506.648; MS-RTC LM 8; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Accept-Encoding: gzip, deflate>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Host: localhost:7001>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Connection: Keep-Alive>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <ssl client key:Sun RSA private CRT key, 512 bits
modulus: 7817332509587397552890028336578207339286770598290114724527725719770879356379795125511472689827439136630867724827096844273172334826513804343303721031800247
public exponent: 65537
private exponent: 2389560434022984500008330220587930903580143665342415250567830833638555718851227441135738538593823573280638974177840057994863001694333515217638747428107137
prime p: 89878601557891020780681845905770729690536603261106674473148151816104280723703
prime q: 86976570330283066459007767878319559738265898367448286741620259855280595939649
prime exponent p: 49531492934775012550710075660752268859317797579709015700240960055270126903855
prime exponent q: 86241336493473679108071803409323587446354469591404733468585827031687427955905
crt coefficient: 20900431671220180283467175612491957186643034513437468583594091501365673934630, ssl client cert chain:[Ljava.security.cert.Certificate;@17de8c5>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <get BASE64 encoded artifact from http request, value is:AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI=>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <ArtifactResolver: sha-1 hash value of remote partner id is '0x0a6b8a4b62a8fc4312f59b578c8e615540467de7'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <ArtifactResolver: found remote partner 'WebSSO-SP-Partner-0' with entity ID 'saml2AP'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <ArtifactResolver: returning partner: [email protected]ba20>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <partner entityid issaml2AP, end point index is:0>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <find end point:[email protected]6886, binding location is:http://localhost:7001/saml2/sp/ars/soap>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <got samlp:ArtifactResolve signing key:Sun RSA private CRT key, 512 bits
modulus: 7817332509587397552890028336578207339286770598290114724527725719770879356379795125511472689827439136630867724827096844273172334826513804343303721031800247
public exponent: 65537
private exponent: 2389560434022984500008330220587930903580143665342415250567830833638555718851227441135738538593823573280638974177840057994863001694333515217638747428107137
prime p: 89878601557891020780681845905770729690536603261106674473148151816104280723703
prime q: 86976570330283066459007767878319559738265898367448286741620259855280595939649
prime exponent p: 49531492934775012550710075660752268859317797579709015700240960055270126903855
prime exponent q: 86241336493473679108071803409323587446354469591404733468585827031687427955905
crt coefficient: 20900431671220180283467175612491957186643034513437468583594091501365673934630>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0x419833daa9699be237eb505d62fe5ab2" IssueInstant="2012-09-17T13:47:47.099Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml2CMP</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_0x419833daa9699be237eb505d62fe5ab2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>QBOav/grXIftH9szz7jigjkJSXe5oeTUe+mecOWQs44=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
C9bKLG5yYjU0UvLj0nlN8KJJfRoQiGzse8ZeSVOR2nHicx3M3YQjGgzNJdDIiC69FoUitEOBNAHg
oYfLcc/5Uw==
</ds:SignatureValue>
</ds:Signature><samlp:Artifact>AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI=</samlp:Artifact></samlp:ArtifactResolve>>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <open connection to send samlp:ArtifactResolve. partner id:saml2AP, endpoint url:http://localhost:7001/saml2/sp/ars/soap>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <isClientPasswordSet:false>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <connect to remote ARS.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: begin to send SAMLObject to server.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: sending completed, now waiting for server response.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <SAML2Servlet: Processing request on URI '/saml2/sp/ars/soap'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <getServiceTypeFromURI(): request URI is '/saml2/sp/ars/soap'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <getServiceTypeFromURI(): service URI is '/sp/ars/soap'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <getServiceTypeFromURI(): returning service type 'ARS'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <ArtifactResolutionService.process: get SoapHttpBindingReceiver as receiver and SoapHttpBindingSender as sender.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <remove: key AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI= does not exist in cache.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <retrieve: no message was found in cache with the messageHandle, return null.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <SoapHttpBindingSender.sendResponse: Set HTTP headers to prevent HTTP proxies cache SAML protocol messages.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <SoapHttpBindingSender.send: the SOAP envelope to be sent is :
>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Body><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xd927ce91bb367412a50520dc7695df1e" InResponseTo="_0x419833daa9699be237eb505d62fe5ab2" IssueInstant="2012-09-17T13:47:47.333Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml2CMP</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096502]There is no saml message in returned samlp:ArtifactResponse.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse></soap11:Body></soap11:Envelope>>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: response code from server is: 200>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: get a HTTP_OK response, now receive a SOAP envelope message.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: found XMLObject in envelope, return it.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <http url connection disconnect.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xd927ce91bb367412a50520dc7695df1e" InResponseTo="_0x419833daa9699be237eb505d62fe5ab2" IssueInstant="2012-09-17T13:47:47.333Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml2CMP</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096502]There is no saml message in returned samlp:ArtifactResponse.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse>>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <get samlp:ArtifactResponse and verify it.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <saml version:2.0>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <inResponseTo:_0x419833daa9699be237eb505d62fe5ab2>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <status code: urn:oasis:names:tc:SAML:2.0:status:Success>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <status message: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.>
####<Sep 17, 2012 9:47:49 AM EDT> <Debug> <SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889669802> <BEA-000000> <[Security:096577]Failed to receive AuthnRequest document from the requester.>
####<Sep 17, 2012 9:47:49 AM EDT> <Debug> <SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889669802> <BEA-000000> <Caused by: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.>
####<Sep 17, 2012 9:47:49 AM EDT> <Debug> <SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889669802> <BEA-000000> <exception info
com.bea.security.saml2.service.SAML2Exception: [Security:096577]Failed to receive AuthnRequest document from the requester.
at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:301)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
at $Proxy26.process(Unknown Source)
at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3686)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: com.bea.security.saml2.binding.BindingHandlerException: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.
at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.getSamlMsg(AbstractArtifactResolver.java:459)
at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.resolve(AbstractArtifactResolver.java:304)
at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.resolve(ArtifactBindingReceiver.java:77)
at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.receiveRequest(ArtifactBindingReceiver.java:40)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:295)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
at $Proxy26.process(Unknown Source)
at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3686)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>Hi user13435437,
The key=AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI= is the SAMLArtifact id, it has nothing to do with any of the public/private keys of the managed servers.
My scenario is a little bit different: Weblogic working as SP and ADFS2 as IdP. What I would recommend you s to use the HTTP-POST & HTTP-REDIRECT binding instead of the Artifact one.
But if you want to remain with this binding maybe you should check the "Authentication Request Cache Timeout" attribute.
Hope it helps,
Luis -
Calling (HTTPS web service) in sharepoint 2013 workflow (SPD)
I am using SharePoint 2013. I have created a list workflow in SharePoint Designer. I know there is an action "Call HTTP Web Service". Is it possible to access some webservice with authentication (username and password)?
http://msdn.microsoft.com/en-us/library/office/dn567558%28v=office.15%29.aspx
the OData formats support communication with anonymous web services as well as with those protected by various types of authentication. In short, you have full control over the request and response for each service call. This allows you to use a series of
activities within a workflow to first authenticate using one service and obtain an OAuth token, and then include that token in future requests to services secured using the
OAuth 2.0 protocol.
http://blogs.msdn.com/b/kaevans/archive/2009/03/10/calling-sharepoint-lists-web-service-using-wcf.aspx
<?xml version="1.0" encoding="utf-8" ?>
2: <configuration>
3: <system.serviceModel>
4: <bindings>
5: <basicHttpBinding>
6: <binding name="ListsSoap">
7: <security mode="TransportCredentialOnly">
8: <transport clientCredentialType="Ntlm" />
9: </security>
10: </binding>
11: </basicHttpBinding>
12: </bindings>
13: <client>
14: <endpoint
15: address="http://sharepoint/sites/HSC/_vti_bin/lists.asmx"
16: binding="basicHttpBinding"
17: bindingConfiguration="ListsSoap"
18: contract="ServiceReference1.ListsSoap"
19: name="ListsSoap" />
20: </client>
21: </system.serviceModel>
22: </configuration>http://www.tonytestasworld.com/post/2009/06/04/How-To-Authenticate-and-Use-SharePoint-Web-Services-in-an-FBA-SharePoint-site.aspx -
ABAP Tutorials for SSF_SIGN and SSF_VERIFY?
Are there any ABAP tutorials for the SSFG function group function modules. Especially SSF_SIGN and SSF_VERIFY?
Thank you,
Dean Atteberry.
Edited by: Dean Atteberry on Jan 21, 2009 11:25 PMIf the FM is not released, then any "tutorial" you might find would only be as reliable as the FM itself (particularly it's interface).
Perhaps what you are looking for is FM [SSFT_PPPI_SIGN|Is it possible to use SNC and SSF together ?;?
Note that I have a development request open on this function, but I hope that the interface will remain stable and only the existing "auth_method" (cannot remember the exact name) will be enhanced within the FM coding to make it more configurable.
The reason for this relates to Single-Sign-On, in which case it is advisable to delete the ABAP password. But then the FM cannot work locally, and using the remote option is too confusing for the user as they cannot be expected to know where they are authenticating, as they innocently logged on (the opposite of what this method was intended to solve in the olden days).
What I am hoping for, is that SAP will provide a secure LDAP bind to verify the signature (or at least add a configurable custom method to add custom coding to verify the authenticity of the caller).
My understanding of interpretations of legal reasons, is that just clicking somewhere is not enough (even if it is unintuitive - which some cell phones are as well...).
Cheers,
Julius -
UCCE 8.5(2) install on W2008 R2 SP1 - 2008 DC Problems
I recently installed from 8.0.1A a UCCE and CVP system in my lab - DC (W2003), RGR, AW-HDS, PG with CUCM, CUPS, CVP. As noted, the Domain Controller was a W2003 box. Basically no worries.
So now I try to do it again with a W2008 R2 Domain Controller and this thing is wild. I've ensured that the Firewalls are off at all three levels, but the Domain Manager is complaining and I have trouble logging into the Web setup tool.
Anyone have any tips to make this play nice. It was simple with a 2003 DC, but the 2008 R2 DC is a spider's web of security layers.
Regards,
GeoffBut I must say there is very little tracing in the DomainManager - even when I made the registry change.
My mistake. It does not write at a higher trace level to DomainManager.txt but instead creates a new file called sadlib.log in the TEMP directory.
I'm still unable to create the OU correctly so that Web Setup allows the instance to be added.
But if I run DomainManager again, it crashes when I click on the + to expand the top level item.
When I try to add the instance the trace from Websetup.log is:
17: SB738571.W2008.ICM: Aug 24 2011 11:11:55.249 -0700: %ICM-ERROR-ADSetupAuthorizer.checkAndFixSecurityGroups: A problem was encountered while checking or creating security groups for instance OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM; Exception Details: Should have SG member "CN=lab_ucce1_Setup,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM" in:
CN=lab_ucce1_Config,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM
0x8A (138)
Should have SG member "CN=lab_ucce1_Setup,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM" in:
CN=lab_ucce1_WebView,OU=ucce1,OU=lab,OU=Cisco_ICM,DC=W2008,DC=ICM
0x8A (138)
Although I can't use the DomainManager I can go directly to the DC and add the groups I "think" it wants, referring to the above trace. No good.
sadlib.log - the error I get when I try to add the Cisco_ICM OU is detailed a little more in this log.
08/24/11 10:37:11 SadMan::addSGMember getAdObject SadIcmInstance::GetIcmInstance() returned NULL
08/24/11 10:37:11 SadMan::addSGMember adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Config,OU=Cisco_ICM,DC=W2008,DC=ICM
08/24/11 10:37:11 SadMan::addSGMember Succeeded (0x0) adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Config,OU=Cisco_ICM,DC=W2008,DC=ICM
08/24/11 10:37:11 SadMan::addSGMember getAdObject SadIcmInstance::GetIcmInstance() returned NULL
08/24/11 10:37:11 SadMan::addSGMember adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_WebView,OU=Cisco_ICM,DC=W2008,DC=ICM
08/24/11 10:37:11 SadMan::addSGMember Succeeded (0x0) adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_WebView,OU=Cisco_ICM,DC=W2008,DC=ICM
08/24/11 10:37:11 SadMan::addSGMember getAdObject SadIcmInstance::GetIcmInstance() returned NULL
08/24/11 10:37:11 SadMan::addSGMember adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Setup,OU=Cisco_ICM,DC=W2008,DC=ICM
08/24/11 10:37:11 SadMan::addSGMember Succeeded (0x0) adding member LDAP://W2008.ICM/CN=Domain Admins,CN=Users,DC=W2008,DC=ICM to group CN=Cisco_ICM_Setup,OU=Cisco_ICM,DC=W2008,DC=ICM
08/24/11 10:37:11 SadStatus::appendText Cannot get Security, no bind to object OU=Cisco_ICM,DC=W2008,DC=ICM
08/24/11 10:37:11 SadStatus::addError Cannot add ACE Null Dacl
08/24/11 10:37:11 SadMan::getGuid
Not quite enough to help me. I am sure there is some security setting I need to "relax" on the DC before this runs in order for it to work.
Any clues guys?
Regards,
Geoff -
Saml2 error validateArtifactRequester: certificate from client is null
Hi,
I got this error ArtifactResolutionService.validateArtifactRequester: certificate from client is null, authentication is failed.>
If you see the log then you can see the handshaking between assertion and indentity works but somehow the assertion refuses the response of the identity
assertion provider
####<12-sep-2009 17:30:24 uur CEST><SAML2Filter: Processing request on URI '/appB/faces/aut/restricted.jspx'>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is '/appB/faces/aut/restricted.jspx'>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is not a service URI>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): returning service type 'SPinitiator'>
####<12-sep-2009 17:30:24 uur CEST><SP initiating authn request: processing>
####<12-sep-2009 17:30:24 uur CEST><SP initiating authn request: partner id is null>
####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
####<12-sep-2009 17:30:24 uur CEST><SP initiating authn request: use partner binding HTTP/Artifact>
####<12-sep-2009 17:30:24 uur CEST><store saml object org.opensaml.saml2.core.impl.AuthnRequestImpl@168c85b, BASE64 encoded artifact is AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH/NaPWjnhgmqYEpXMWX2STBHg=>
####<12-sep-2009 17:30:24 uur CEST><post artifact: false>
####<12-sep-2009 17:30:24 uur CEST><local ARS binding location: http://laptopedwin.wh.lan:8001/saml2/idp/sso/artifact>
####<12-sep-2009 17:30:24 uur CEST><post form template url: null>
####<12-sep-2009 17:30:24 uur CEST><URL encoded artifact: AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH%2FNaPWjnhgmqYEpXMWX2STBHg%3D>
####<12-sep-2009 17:30:24 uur CEST><URL encoded relay state: null>
####<12-sep-2009 17:30:24 uur CEST><artifact is sent in http url:http://laptopedwin.wh.lan:8001/saml2/idp/sso/artifact?SAMLart=AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH%2FNaPWjnhgmqYEpXMWX2STBHg%3D>
####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Processing request on URI '/saml2/sp/ars/soap'>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is '/saml2/sp/ars/soap'>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): service URI is '/sp/ars/soap'>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): returning service type 'ARS'>
####<12-sep-2009 17:30:24 uur CEST><ArtifactResolutionService.process: get SoapHttpBindingReceiver as receiver and SoapHttpBindingSender as sender.>
####<12-sep-2009 17:30:24 uur CEST><ArtifactResolutionService.validateArtifactRequester: certificate from client is null, authentication is failed.>
####<12-sep-2009 17:30:24 uur CEST> <Warning> <Security> <LAPTOPEDWIN> <DefaultServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1252769424812> <BEA-000000> <[Security:096565]Artifact requester authentication failed.>
####<12-sep-2009 17:30:24 uur CEST><SoapHttpBindingSender.sendResponse: Set HTTP headers to prevent HTTP proxies cache SAML protocol messages.>
####<12-sep-2009 17:30:24 uur CEST><SoapHttpBindingSender.send: the SOAP envelope to be sent is :
>
####<12-sep-2009 17:30:24 uur CEST> <<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Body><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xf34d9596cf9f8d37715fdf3529266b40" InResponseTo="_0xe219b059e77568bc835736caa94d6855" IssueInstant="2009-09-12T15:30:24.812Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">jdev_wls</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096565]Artifact requester authentication failed.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse></soap11:Body></soap11:Envelope>>
####<12-sep-2009 17:35:24 uur CEST> <authn_request - item: _0x9061f430c89cd074398250c710c83045 expired.>
identity provider
####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Initialized logger service>
####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Initialized SAML2 service>
####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: setConfigKey called with key 'default'>
####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Processing request on URI '/saml2/idp/sso/artifact'>
####<12-sep-2009 17:30:24 uur CEST><Redirect URI cache updated.>
####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is '/saml2/idp/sso/artifact'>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): service URI is '/idp/sso/artifact'>
####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): returning service type 'SSO'>
####<12-sep-2009 17:30:24 uur CEST><Request URI: /saml2/idp/sso/artifact>
####<12-sep-2009 17:30:24 uur CEST><Method: GET>
####<12-sep-2009 17:30:24 uur CEST><Query string: SAMLart=AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH%2FNaPWjnhgmqYEpXMWX2STBHg%3D>
####<12-sep-2009 17:30:24 uur CEST>< Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*>
####<12-sep-2009 17:30:24 uur CEST>< Referer: http://127.0.0.1:7101/appB/faces/appBStart.jspx;jsessionid=TtbvKr5Myy7hC5y2j9YVZMLp2dxvYlGP3nV8KnJPtnB5svv4cnDL!-453074333?_adf.ctrl-state=m6b65gdxq_4>
####<12-sep-2009 17:30:24 uur CEST>< Accept-Language: nl>
####<12-sep-2009 17:30:24 uur CEST>< User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)>
####<12-sep-2009 17:30:24 uur CEST>< Host: laptopedwin.wh.lan:8001>
####<12-sep-2009 17:30:24 uur CEST>< Accept-Encoding: gzip, deflate>
####<12-sep-2009 17:30:24 uur CEST>< Connection: Keep-Alive>
####<12-sep-2009 17:30:24 uur CEST>< Cache-Control: no-cache>
####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
####<12-sep-2009 17:30:24 uur CEST><ssl client key:Sun RSA private CRT key, 1024 bits
modulus: 135256530343776309493378499238723474761809537383354856443783031405724842963590896515127253614442774833330163469306346998433606124817086312759138932710087080464501074410925139095622741276531270633324573257815772267862467588496928149465417098076218732040047455958122894583653703895415828491462423303970267662119
public exponent: 65537
private exponent: 70314326087743699962454879977162652930937500017561071746336998641882377889887267410323718367396514008446506086626901479113065301623787031382331559843030136237857866934906267741351110674239213829006129063775109788707087302538026535943257466578949319062480441789214176315827916248430287133081293921721804088033
prime p: 11974625102832097583118096114610793613205242504983701060834332690026001982375077665162762308523793650653350947197100038932023730202787298553029195261347327
prime q: 11295262205059515784067784104204404656057034968759802138195417174670025481580489505249455835611140503620524999898446032906677280702668039750528726228078297
prime exponent p: 10636051419212951957075964614303506523311875298802298281157626077164099690190818102244374273181234298154969131746805474255337189050985724645168110919912251
prime exponent q: 9180707495599589343206474566470241653094376286920321960074362300079694178141042692915879784722129977674567430529173188898986608915112396683265394948155617
crt coefficient: 3999529359604887198322520465212803445668432210961019729502103914530388247742016641237995952808703712482862506414062073383339683451433625683775233168415551, ssl client cert chain:[Ljava.security.cert.Certificate;@767c0d>
####<12-sep-2009 17:30:24 uur CEST><get BASE64 encoded artifact from http request, value is:AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH/NaPWjnhgmqYEpXMWX2STBHg=>
####<12-sep-2009 17:30:24 uur CEST><ArtifactResolver: sha-1 hash value of remote partner id is '0xc46d956aa4de6f55a95df24aeeea8c9706a34f0f'>
####<12-sep-2009 17:30:24 uur CEST><ArtifactResolver: found remote partner 'jdev' with entity ID 'jdev_wls'>
####<12-sep-2009 17:30:24 uur CEST><ArtifactResolver: returning partner: [email protected]779>
####<12-sep-2009 17:30:24 uur CEST><partner entityid isjdev_wls, end point index is:0>
####<12-sep-2009 17:30:24 uur CEST><find end point:[email protected]2a7, binding location is:http://laptopedwin.wh.lan:7101/saml2/sp/ars/soap>
####<12-sep-2009 17:30:24 uur CEST><<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xe219b059e77568bc835736caa94d6855" IssueInstant="2009-09-12T15:30:24.671Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">soa</saml:Issuer><samlp:Artifact>AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH/NaPWjnhgmqYEpXMWX2STBHg=</samlp:Artifact></samlp:ArtifactResolve>>
####<12-sep-2009 17:30:24 uur CEST><open connection to send samlp:ArtifactResolve. partner id:jdev_wls, endpoint url:http://laptopedwin.wh.lan:7101/saml2/sp/ars/soap>
####<12-sep-2009 17:30:24 uur CEST><isClientPasswordSet:false>
####<12-sep-2009 17:30:24 uur CEST><connect to remote ARS.>
####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: begin to send SAMLObject to server.>
####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: sending completed, now waiting for server response.>
####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: response code from server is: 200>
####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: get a HTTP_OK response, now receive a SOAP envelope message.>
####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: found XMLObject in envelope, return it.>
####<12-sep-2009 17:30:24 uur CEST><http url connection disconnect.>
####<12-sep-2009 17:30:24 uur CEST><<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xf34d9596cf9f8d37715fdf3529266b40" InResponseTo="_0xe219b059e77568bc835736caa94d6855" IssueInstant="2009-09-12T15:30:24.812Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">jdev_wls</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096565]Artifact requester authentication failed.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse>>
####<12-sep-2009 17:30:24 uur CEST><get samlp:ArtifactResponse and verify it.>
####<12-sep-2009 17:30:24 uur CEST><saml version:2.0>
####<12-sep-2009 17:30:24 uur CEST><inResponseTo:_0xe219b059e77568bc835736caa94d6855>
####<12-sep-2009 17:30:24 uur CEST><status code: urn:oasis:names:tc:SAML:2.0:status:Success>
####<12-sep-2009 17:30:24 uur CEST><status message: [Security:096565]Artifact requester authentication failed.>
####<12-sep-2009 17:30:24 uur CEST><[Security:096577]Failed to receive AuthnRequest document from the requester.>
####<12-sep-2009 17:30:24 uur CEST><Caused by: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.>
####<12-sep-2009 17:30:24 uur CEST><exception info
com.bea.security.saml2.service.SAML2Exception: [Security:096577]Failed to receive AuthnRequest document from the requester.
at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:301)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
at $Proxy26.process(Unknown Source)
at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
com.bea.security.saml2.binding.BindingHandlerException: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.
at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.getSamlMsg(AbstractArtifactResolver.java:459)
at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.resolve(AbstractArtifactResolver.java:304)
at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.resolve(ArtifactBindingReceiver.java:77)
at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.receiveRequest(ArtifactBindingReceiver.java:40)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:295)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
at $Proxy26.process(Unknown Source)
at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>Tony,
Refer SAP Note: 730870. Q16.
Fyr from SAP Note:
Q 16: While sending a message to the RfcAdapter the error "... functiontemplate from repository was <null>" is shown. Which reasons are possible?
A: After receiving a message from the Adapter Engine, the RfcAdapter extracts the payload from the message. Normally this should be an XML document in the RFC-XML format. In this format the root element of the XML document represents the name of the function module and is enclosed in the fixed RFC namespace 'urn:sap-com:document:sap:rfc:functions'. But this only will be checked at a later point, when the conversion from XML to native RFC is done. As prerequisite of this conversion the structures and types of the function module parameters has to be known. This is also called metadata or function template. To get this function template the name of the function module is extracted from the root element of the XML document and is queried against the metadata repository of the communication channel. If the metadata repository doesn't have a function module with this name, the exception named above is thrown. Possible reasons are
The XML document, which was send to the RfcAdapter, is not a RFC-XML document. So the root element name of this document is not the name of a function module and thus can't be found in the metadata repository.
The metadata repository doesn't contain an entry for this function module name. Normally the metadata repository will be an R/3 system and it's function module repository can be searched with transaction code SE37.
raj. -
Security issue in DNS ! Update bind.
Apparently there is a massive security issue in DNS protocol : http://securosis.com/2008/07/08/dan-kam … -released/
or http://www.kb.cert.org/vuls/id/800113
I am surprised I haven't seen any post on the forum about it. For now a solution could be to update bind to 9.5.0-P1 (I don't know if the one in testing is this particular one, there is no "P1").
Every DNS server has to be upgraded since the issue is in the protocol, not in the code !A lot of systems got updated yesterday/today. I just checked a Windows Server 2003 x64 RC2 at work; yesterday it was vulnerable, but today it's reported safe after the recent security updates (this site offers some kind of check: http://www.doxpara.com/)
I believe all the "big" ones in Linux did release an update yesterday, so there's probably plentiful of patches around... which is beyond the limits of my brain cells at the moment. -
Error "Channel binding security failure" in tuxedo 8.1
When I tried to connect from domain "WERD_DOMAIN_ACCEPT" from one machine to another domain "atdexprodcp2" on another machine, I am getting the following error message in the ULOG:
092119.lasxxx!GWTDOMAIN.23146.1.0: LIBGWT_CAT:1549: ERROR: Failed security validation with remote domain (domainid=atdexprodcp2)
092119.lasxxx!GWTDOMAIN.23146.1.0: LIBGWT_CAT:1008: ERROR: Unable to connect to remote domain (domainid=<atdexprodcp2>)
092200.lasxxx!GWTDOMAIN.23146.1.0: LIBGWT_CAT:1535: ERROR: Channel binding security failure
092200.lasxxx!GWTDOMAIN.23146.1.0: LIBGWT_CAT:1550: ERROR: Failed security validation with remote domain (domainid=atdexprodcp2)
092200.lasxxx!GWTDOMAIN.23146.1.0: LIBGWT_CAT:1008: ERROR: Unable to connect to remote domain (domainid=<atdexprodcp2>)
The domain config file on LASXXX:
*DM_LOCAL_DOMAINS
WERD_DOMAIN_ACCEPT GWGRP=GWGROUP
TYPE=TDOMAIN
DOMAINID="WERD_DOMAIN_ACCEPT"
DMTLOGDEV="/home/tuxedo/DMTLOG.log"
DMTLOGNAME="DMTLOG"
SECURITY=DM_PW
*DM_REMOTE_DOMAINS
ATS_PRODCP2_DOMAIN TYPE=TDOMAIN
DOMAINID="atdexprodcp2"
ATS_PRODCP1_DOMAIN TYPE=TDOMAIN
DOMAINID="atdexprodcp1"
WERD_DOMAIN_TRAIN TYPE=TDOMAIN
DOMAINID="WERD_DOMAIN_TRAIN"
*DM_TDOMAIN
WERD_DOMAIN_ACCEPT NWADDR="//lasxxx:20501"
ATS_PRODCP1_DOMAIN NWADDR="//lasyyy:36651"
ATS_PRODCP2_DOMAIN NWADDR="//lasyyy:37651"
WERD_DOMAIN_TRAIN NWADDR="//lasun114:20601"
*DM_REMOTE_SERVICES
The domain config file on LASYYY:
*DM_LOCAL_DOMAINS
atdexprodcp1 GWGRP=TXGW01
TYPE=TDOMAIN
DOMAINID="atdexprodcp1"
SECURITY=DM_PW
BLOCKTIME=30
*DM_REMOTE_DOMAINS
atdeluat TYPE=TDOMAIN
DOMAINID="atdeluat"
WERD_DOMAIN_DEV1 TYPE=TDOMAIN
DOMAINID="WERD_DOMAIN_DEV1"
*DM_TDOMAIN
atdexprodcp1 NWADDR="//lasyyy:36651"
WERD_DOMAIN_ACCEPT NWADDR="//lasxxx:20501"
Could someone know how to fix this problem?The most common cause to this problem is incorrectly configured /Domain password pair, the next common cause is the mis-matched configuration. But before I give you more definite answer I need to clear few things up first.
1. The log shown that it failed to connect to "atdexprodcp2" but the DM configuration file on laxyyy only shown "atdexprodcp1", can you give me the complete configuration file on laxyyy?
2. Can you give me the Tuxedo version and RP level on both lasxxx and lasyyy?
3. it looks like you have 2 failures with 41 seconds in between. The first failure shown that WERD_DOMAIN_ACCEPT is the session initiator. The second failure shown that WERD_DOMAIN_ACCEPT is the session responder. My question is does the first failure also related to channel binding? (because the ULOG fragment in your post may be truncated it, and it does not show the root cause of the failure) -
We have a web role where we have hosted a WCF service.
We are facing the below exception intermittently on consuming the service.
Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This
can occur if the service is configured for security and the client is not using security.
This is intermittent. Few calls fail , and the subsequent calls succeed without making any changes.
Please help in overcoming this abnormal behavior.
Thanks in advance !!
Best Regards ,
EswarHi Eswar,
As the error message mentioned, it may be a mismatch between the configuration on the client and the server.Try putting all your configuration in a binding configuration and then use the same binding configuration on the server and client. Since this issue
is more related with WCF, I suggest you move to WCF forum, it is appropriate and more experts will assist you.
Best Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.
Maybe you are looking for
-
Where are all the print settings for my HP Officejet 5510 in Mac OS X 10.8.2?? I only have Fast, Fast B & W, and Best. I want Normal so that it looks good but doesn't print so slowly. Help.
-
Adding photo to iPhoto 9.2.1 slideshow reorders Source list
Hi All I have made a slideshow (100 photos) in iPhoto 9.2.1 and being careful duplicated the slideshow. I then added more photos to the duplicated Slideshow source list only to find the slideshow re-orders the list of photos. I've never experienced
-
Multipart message has "text/plain" content type.
Hi all, I am developing an application which can send and receive email messages including attachments.Because i dont have easy access to real mail servers at the moment, i am using my laptop to test everything("localhost"). my code so far have been
-
FCSvr Inital setup layout questions
Hi - We are looking at deploying FCSvr in our video production facilities. I am starting to familiarize myself with the software and what it needs. We want to set it up in our "limited" facilities to test it and learn, but we also want to avoid any p
-
How do I save ALV Grid O/P to spool
Hi All, I have a requirement of saving alv grid output to spool. How can this be done? could I get any help on this? Thanks & Regards, Deepak Raj