Secure Login and trust between BO/BW
Hi.
We configured server-side trust between BO and BW using libsapcrypto library. All works fine.
Now we installing Secure Login (SAP NetWeaver Single Sign-On) for SSO from SAP GUI based on Kerberos token. To configure Secure Login we need to modify profile parameters like
snc/identity/as=p:CN=QBW, OU=Surgutasuneft, O=Surgutneftegas, C=RU
snc/gssapi_lib=/sapmnt/QBW/exe/libsapcrypto.so
which were in use by server-side trust between BO and BW. So when we modify them like in installation guide for Secure Login to this:
snc/identity/as=p:CN=SAP/[email protected]
snc/gssapi_lib=/usr/sap/QBW/DVEBMGS20/SLL/libsecgss.sl
we can use SAP GUI SSO to BW but can't run reports from BO since we broke server-side trust.
We tried many different variations of using these two libraries (including fully regenerating certificates both on BW and BO for server-side trust) but they all failed.
Any suggestions of how we can activate SAP NetWeaver Single Sign-On on our BW systems, without breaking server-side trust between BW and BO?
Thanks in advance
wbr
Stanislav
Thanks, but this problem was resolved. Frane was very helpfull in solving this problem, but it was beyond the forum.
He described the possibility of Secure Login Client that I did not know.
Another possibility is implemented in Secure Login Client 1.0 SP02 Patch 03 and higher (current version is 1.0 SP03 Patch 02).
Secure Login Client is able to “rebuild” the required SPN Name (in your example p:CN=SAP/[email protected]).
This means if the X.509 certificate SNC name is p:CN=KerberosSSO à Secure Login Client will rebuild p:CN=SAP/[email protected]
This works also if the X.509 certificate name is p:CN=KerberosSSO, OU=SAP Security, C=RU
Maybe this solution integration is easier for You? You can use the transaction STRUST to create a self-signed certificate.
Thanks again, Frane.
Similar Messages
-
How to share user login and passwords between blog, forum and Dreamweaver?
I have a site created with Dreamweaver. I want to allow
visitors to create a username and password which will allow them to
post blog feedback to many pages on my site, post in a forum, and
provide their own comments into a database I can show the results
for on certain pages. The trick is I want this to all work with one
username and password so they don't have to use 3 different logins.
I'm not sure if this is too technical, but I thought I'd ask before
getting into it and realizing it won't work or I don't have a clue
what I'm doing.
I want to allow blog data to be added to a page with CSS
content by both admin and visitors (to create an active discussion
based on the data on that page). I've seen it on some sites, but
don't know how to do it myself:
http://www.joystiq.com/2008/05/19/ea-extends-take-two-purchase-offer-deadline-a-third-time /
I can see they are using Weblogs Inc. software, but it
appears the company only collaborates with people they see a fit
with.
I also want a forum and I know phpp is recommended. I like
the interface, but am unsure if the login data can be shared with a
blog.
Lastly, I wanted to allow users to write their own reviews
and then show the results and average them for display on the site.
I have read and know how to create the database for the site. I
just don't know how to share the usernames and password information
with the blog and forum.
Also, how do I force Dreamweaver to validate that the
usernames and passwords are exactly correct before letting people
post under that identity?
I'm loving Dreamweaver and making sites so far. Just trying
to take it to the next level.
Thanks very much!juxtafras wrote:
> I have a site created with Dreamweaver. I want to allow
visitors to create a
> username and password which will allow them to post blog
feedback to many pages
> on my site, post in a forum, and provide their own
comments into a database I
> can show the results for on certain pages. The trick is
I want this to all
> work with one username and password so they don't have
to use 3 different
> logins. I'm not sure if this is too technical, but I
thought I'd ask before
> getting into it and realizing it won't work or I don't
have a clue what I'm
> doing.
>
> I want to allow blog data to be added to a page with CSS
content by both admin
> and visitors (to create an active discussion based on
the data on that page).
> I've seen it on some sites, but don't know how to do it
myself:
>
>
http://www.joystiq.com/2008/05/19/ea-extends-take-two-purchase-offer-deadline-a-
> third-time/
>
> I can see they are using Weblogs Inc. software, but it
appears the company
> only collaborates with people they see a fit with.
>
> I also want a forum and I know phpp is recommended. I
like the interface, but
> am unsure if the login data can be shared with a blog.
>
> Lastly, I wanted to allow users to write their own
reviews and then show the
> results and average them for display on the site. I have
read and know how to
> create the database for the site. I just don't know how
to share the usernames
> and password information with the blog and forum.
>
> Also, how do I force Dreamweaver to validate that the
usernames and passwords
> are exactly correct before letting people post under
that identity?
>
> I'm loving Dreamweaver and making sites so far. Just
trying to take it to the
> next level.
>
> Thanks very much!
>
What you want is a CMS, but your not going to get one for
Dreamweaver,
well, not the kind you want. Something like Joomla can do
this, you can
add phpBB3 to it, and then using the JFusion extension allow
them to
share the user database, but I warn you now, its a steep
learning curve.
I ended up buying a book just to get to grips with the key
concepts.
Steve -
How to transfer logins and passwords between instances of SQL Server query
Hi
Microsoft have provided a SQL Script on there support site with regards to moving accounts from one SQL Server to another SQL Server.
KB Link: http://support.microsoft.com/kb/918992/en-us
My question is should I migration the [NT AUTHORITY and [BUILTIN\. My thinking is no.
RegardsHello,
Please follow the below link :
http://sqlmag.com/query-analyser/sql-server-login-transfer
Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/ -
IE 7 patch resets security settings and disables Apex login
I have a working Apex app, and the users must use IE as one of our other applications is not certified for Firefox. Well, everything was working fine on Thursday, we were off Friday. This morning, the main Login button doesn't do anything, and I can't even log into the dev console. Firefox does seem to work.
It seems patch KB980182 resets some security settings, and the Login button doesn't do anything.
I set added my site to the Trusted Site list and everything is working now. Just another notch on my "I hate MS" totem.
Edited by: ABD -- DBA on Apr 5, 2010 10:07 AM
Edited by: ABD -- DBA on Apr 5, 2010 11:27 AMHi Alfred,
It seems that you did not perform step 3 at 3.3.11.1 at http://docs.oracle.com/cd/E37097_01/doc/install.42/e35123/otn_install.htm#BABBHFGD
ALTER SESSION SET CURRENT_SCHEMA = APEX_040200;
Please try this before running @load_de.sql.
I hope this helps.
Joel -
Trust between 2008r2 dc and 2012r2 dc
i have to setup a new forest/domain in the dmz but I will be using 2012r2.
on the internal, I am running 2008R2 forest/domain
Can I setup a trust between them or do I need to use 2008r2 for both dmz and internal?Do i have to build the forest/domain in the dmz as 2008r2 level?
I poan to setup a DC and another server with AD LDS on it. Then I will open 389 or secure ldap to the AD LDS to the public. Then AD LDS will talk to the DC on the DMZ network
what do you think??
In a DMZ I will always tell you to not setup a DC there, for security reason, as even if you restrict the communication to your internal AD from that server, a thrust exist, thus you expose via the DMZ all your AD. Depend on your need, if for IIS in exemple,
can you do a reverse proxy setup ? (a good example for the OWA webpage for Exchange there; http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx)
Regards, Philippe
Don't forget to mark as answer or vote as
helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
Answer an interesting question ? Create a
wiki article about it! -
Hello, i have been sent the following email from apple, see below and asks for apple login details, is this a genuine request?
Thank you.
You’ve taken the added security step and provided a rescue email address. Now all you need to do is verify that it belongs to you.
The rescue email address that you gave us is [email protected]
Just click the link below to verify, sign in using your Apple ID and password, then follow the prompts.
Verify Now >
The rescue email address is dedicated to your security and allows Apple to get in touch if any account questions come up, such as the need to reset your password or change your security questions. As promised, Apple will never send any announcements or marketing messages to this address.
When using Apple products and services, you’ll still sign in with your primary email address as your Apple ID.
It’s about protecting your identity.
Just so you know, Apple sends out an email whenever someone adds or changes a rescue email address associated with an existing Apple ID. If you received this email in error, don’t worry. It’s likely someone just mistyped their own email address when creating a new Apple ID.
If you have questions or need help, visit the Apple ID Support site.
Thanks again,
Apple SupportIn that case, someone is trying to hi-jack your Apple ID.
You should change your password immediately. -
Moving SP2013 and SQL2008R2 to new domain - no trusts between domain
Hello,
I'm looking to move a customized installation of SharePoint 2013 (Microsoft server 2012 std VM) and it's db (SQL 2008 r2 VM) from one domain to another domain. There will be no trust between the domains and assume that no users or service accounts will be
migrated. Has anyone performed a similar operation? If so, can you provide guidance as to the best way to tackle this situation. Currently we plan on exporting the SP2013 VM from the old domain, importing (re-creating) that VM in the new domain and importing
the DB to an existing SQL server in the new domain. My concern is being able to log in to Central Admin afterwards because the domain accounts are no longer valid. Should we change all accounts to local admins first, detach the db and change those accounts
as well? Or would a totally different approach make more sense? Any help would be appreciated..
Thanks in advance,
AlexYou need to build a new SharePoint farm, changing SharePoint server's domain membership isn't supported.
What you'll do is build a new farm, create the Web Application(s), etc. and then restore SQL database backups from the old farm into the new farm.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
I am new to SQL Server clusters for HA, but from a security angle, say for example you have 10 SQL Servers in the cluster, and Server 1 dies, do Server 2 takes on the databases in Server 1 - how are the logins in Server 1 carried over so users can still
login and access their databases? Or do you have to clone all accounts on all servers so they can still login to any server. This seems massively unsecure to me, as users who need access to a DB on server 1 will have no requirement to access DB's on other
servers in the node. So how does it work? Please keep answers basic for someone new to this.Hi,
Read this short tutorial :-)
http://www.brentozar.com/archive/2012/02/introduction-sql-server-clusters/
There is no reason to write it in the forum again:
"A failover cluster basically gives you the ability to have all the data for a SQL Server instance installed in something like a share that can be accessed from different servers. It will always have the same instance name, SQL Agent jobs, Linked Servers
and Logins wherever you bring it up. You can even make it always use the same IPAddress and port– so no users of the SQL Server have to know where it is at any given time."
[Personal Site] [Blog] [Facebook] -
Hi All,
We are having a project to implement NW SSO for NWBC for HTML, Citrix XenApp will be used as the desktop environment. The requirement is that no Java allowed to be installed on the web browser.
According to PAM, Secure Login Client is not support Microsoft Application Virtualization (App-V), so how can we deploy the Secure Login Client to Citrix environment?
If we want to use Secure Login Web Client instead of Secure Login Client, does Secure Login Web Client requires Java installed on users' web browsers? In the latest Secure Login implementation guide (SSO 2.0), it does not mentioned anything about Java runtime. However, because as far as I understand, Secure Login Web Client is a feature of Secure Login Server, while Secure Login Server is pure Java application, I suspect that Secure Login Web Client also require Java runtime to run. Is that true?
Best regards,
DuyHello Duy,
The Product Availability Matrix states that Secure Login Web Client needs a Java runtime in the browser. See the footer of the Secure Login Web Client pages for Windows and Linux/MAC OS browser platform support. It says the following:
For Windows: SupportedJava Runtime: Oracle (Sun) JSE 6, 7 and8, 32bit
For Linux/MAC OS: Supported Java Runtime: Oracle (Sun) JSE 6.0 and7.0, 32bit/64bit depending on browser
Best regards,
Martin -
Difference Between NWBC login and Portal login in GRC10
Hi All,
Can any one tell the difference between NWBC login and Portal Login in GRC 10?
Thanks & Regards
Mohammed WasimHi,
NWBC is web dynpro application running on ABAP stack while Enterprise portal is java application running on Java stack.
Hope this answers your query.
BR,
Mangesh -
Difference between my-secure-amf and my-secure-http
Whats the difference between my-secure-amf and my-secure-http?
For historical reasons, an "AMF" channel is binary encoded AMF byte stream over HTTP. an "HTTP" channel (bad name!) is an AMFX encoded XML stream over HTTP.
For more on the different types of channels see the documentation here: http://help.adobe.com/en_US/LiveCycleDataServicesES/3.1/Developing/WSc3ff6d0ea77859461172e 0811f00f6e876-7fecUpdate.html
Tom -
Forest trust - security issues and how to avoid
Hi guys,
I have few questions.
1/Planning do Forest trust.We have Forest + Domain functional level at WS 2003 level.
In case of trust what are the security issues and how to avoid them? Meant something like browsing in AD, possible hacking from new destination etc.
2/ What in case that the trust will not be possible create because of security reasons (rejected by other company)? What can be an workaround for that? I have idea with resource forest or ADFS? Any other ideas?
Thanks in advance or for a good link to study about.
Petr WeinerOther than broad general answers it is difficult to answer this from the negative side. I work in a very large company where we have hundreds of domains with one way trusts in place and I don't believe we have any security issues in place. With
the large numbers of domains we can't operate in any other fashion. We have a user forest and many resource forests. All of our domains and forests are operated and maintained within the company but if you have domains operated by different departments
then you can run into issues on who trusts. Also if you need to have a situation where you need to trust other companies then you start to look at ADFS, you can also use it internally for many applications as well as cloud services. But as I already
mentioned you haven't detailed what exactly is going on so it is hard to try and give you a concrete answer.
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights. -
Secure login to remote UNIX host and run a shell script
Hi I am new to JAVA. I want to login to remote UNIX host from my application secure login (SSH) and run a shell script reside that remote host. Can any one let me know the way how to do it. If possible provide the code example.
Runtime.exec with an ssh command (not really recommended).
Much better, an SSH API (JSch, which needs JZlib, from http://www.jcraft.com/ is a good one). -
Sql query to find activities between Login and Logout time
Hi ,
I have 2 tables as shown below
User Table
ActivityTable
i have a requirement in which i need to find all the activities done for a particular user inbetween login and logout time can anybody help me how to write sql query for this .Is this what you looking for?
DECLARE @User TABLE
userid INT,
date DATETIME,
type VARCHAR(50),
sessionid SMALLINT
DECLARE @ActivityTable TABLE
activityid SMALLINT,
userid SMALLINT,
activity VARCHAR(50),
activitystarttime DATETIME,
activityendtime DATETIME
INSERT INTO @User
(userid,
[date],
[type],
sessionid)
VALUES (1,
'2002-08-25 16:51:25.107',
'Logon',
111),
(1,
'2002-08-25 17:52:25.107',
'LOGOFF',
111),
(2,
'2007-03-08 19:25:21.170',
'Logon',
222),
(2,
'2007-03-08 21:25:21.170',
'LOGOFF',
222),
(3,
'2007-03-08 19:25:21.170',
'Logon',
234);
INSERT INTO @ActivityTable
(activityid,
userid,
activity,
activitystarttime,
activityendtime)
VALUES (234,
1,
'development',
'2002-08-25 16:53:23.101',
'2002-08-25 16:59:23.170'),
(789,
2,
'Testing',
'2007-03-08 19:53:23.180',
'2007-03-08 20:53:23.180'),
(789,
2,
'Lunch',
'2007-03-08 19:53:23.180',
'2007-03-08 20:53:23.180'),
(456,
3,
'Testing',
'2007-03-08 19:53:23.180',
'2007-03-08 20:53:23.180'),
(781,
1,
'Lunch',
'2002-08-25 17:00:23.101',
'2002-08-25 17:30:00.170'),
(781,
1,
'Lunch',
'2002-08-25 21:00:23.101',
'2002-08-25 22:30:00.170');
WITH logon
AS (SELECT date,
userid
FROM @User
WHERE type = 'Logon'),
logoff
AS (SELECT date,
userid
FROM @User
WHERE type = 'LOGOFF')
SELECT at.*
FROM @ActivityTable AT
INNER JOIN logon Lo
ON at.userid = lo.userid
INNER JOIN logoff LF
ON at.userid = lf.userid
WHERE At.activityendtime < LF.date
AND AT.activitystarttime > LO.date
Regards,
Vishal Patel
Blog: http://vspatel.co.uk
Site: http://lehrity.com -
Two-way forest trust between two (single domain) forests with multiple identical user ID's
Domain and forest levels - Windows 2003 (they both have one 2008 R2 DC)
We need to create a two-way forest trust between two separate single-domain forests. The problem is that these two forests already access each others resources through a S2S. Users have the same login names and passwords on both forests/domains. Now, we
are combining their infrastructures and need to set up a trust. From what I'm reading, you can't create forest trusts if you have the same SIDs, user ID's, or computer name in each of the forests.
I'm looking into AD migration tool to copy the userSIDs (SID history?) between forest/domain, deleting the user ID's in the domain we migrated from, and then setting up the trust, but I'm leery about doing it this way as there is no easy 'recovery' should
something go wrong.
Any suggestions for the easiest way to setup this forest trust?Hi,
To eliminate your worries, two user accounts have the same user name doesn’t mean that they have the same SID. Moreover, the user’s SID remains the same even after it has been renamed.
The SID for domain account/group consists of a
Domain Identifier and a Relative Identifier. Domain Identifier is unique in every domain within a forest, and a Relative Identifier is unique within domain. It is unlikely that two user accounts with or without the same account
name from two forests have the same SID.
The Technet article you mentioned is talking about duplicate SIDs instead of “duplicate computer name or user account”, I will submit a change request to Microsoft about this.
If there are duplicate SIDs when you create forest trust, you need to delete one of them as the article guides.
Here are some related articles below for your references:
How Security Identifiers Work
http://technet.microsoft.com/en-us/library/cc778824(v=WS.10).aspx
Security Identifier Structure
http://technet.microsoft.com/en-us/library/cc962011.aspx
Security Identifier
http://en.wikipedia.org/wiki/Security_Identifier
I hope this helps.
Amy Wang
Maybe you are looking for
-
Is there a way to format text data that has been persisted?
I am persisting five lines of numeric data in my app. Each persisted line of data saves and returns perfectly after a ro-boot, except for the text size and color. To be clear : If I save 199.55, that is what appears after a device re-boot. The 'for
-
How can I use an external hard drive to backup my G4?
Do I need a program like My Book to make this happen?
-
How to convert a String("yyyy-mm-dd") to the same but in Date format ?
Hi, can anyone plz tell me how to convert a String to a date format.I'm using MSACCESS database.I want to store this string in the database.So i need to convert it to a date format since the table is designed such a way with date/time type for date f
-
%ARP-3-DUP_VADDR_SRC_IP on two Nexus 7000 using HSRP
Hi, I am receiving the error %ARP-3-DUP_VADDR_SRC_IP on two Nexus 7000 switch that is configured with HSRP. I only see this error when the Nexus performs a failover to the HSRP standby unit. I personally think this can be safely ignored,but wanted
-
Print to .ps artboard size
I have been searching around about this for a week now. I want to print to Post Script. I want to have the post script file that is printed be the same size as the artboard. I am assuming this means that I can't use a print preset because the print s