Setting security level of infopath files

Hi,
At work i have designed an Infopath file and it has some code behind it which will be executed when a memo button is clicked. But when i try to preview it by hitting F5 in keyboard it shows error , so i checked the security level and it was set to auto.
When i changed it to Full Trust, it is working fine. Is it really due to the Full Trust and is there any other way we can make it work by setting the security as full trust.
Thanks in Advance
Arjun Menon U.K

Hi,
Did you add Visual Studio code behind it? In that case you need to create a certificate for your file. This certificate should also be on the receving server in order to create a secure setting as full trust. One of the reasons I always try to avoid
coding in InfoPath to much hassle on the server side.
Maurice
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer. Thank You

Similar Messages

Set Security Level per Security Zone in IE

I am trying to set the Trusted Security Zone to Low in IE (all versions).
I have made the change under Computer > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel >
Security Page > Trusted Sites Zone Template (and also tried under User). With User logged in I can see rsop which shows the setting, but in IE it remains at Medium.

Hi,
Please check below article and set the security level for each zone:
Best
Practice: How to use Group Policy to configure Internet Explorer security zone sites
Regards,
Yan Li
Regards, Yan Li

Domain level security issue with InfoPath Form

I have followed the article “Submitting Data from InfoPath 2007 to a SharePoint List” which can be found at
http://msdn.microsoft.com/en-us/library/cc162745.aspx.
But instead I am using SharePoint and InfoPath 2010.
I get the following error after deploying and running the form with its security level set to domain.
“A query to retrieve form data cannot be completed because this action would violate cross-domain restrictions. If this form template is published to a SharePoint
document library, cross-domain access for user form templates must be enabled under InfoPath Forms Services in SharePoint Central Administration, and the data connection settings must be stored in a UDC file in a data connection library in the same site collection.
If this is an administrator-approved form template, the security level of the form must be set to full trust, or the data connection settings must be stored in a UDC file by using the Manage data connection files option under InfoPath Forms Services in SharePoint
Central Administration.”
How do I get this form working on the server and client using domain level security?
Extra Note: On an additional not the form works fine in SharePoint and InfoPath designer when the security level is set to Full Trust.

Hi, Is this possible over a SharePoint "LIST"? I'm hitting brick walls and can't set the Security level on my form at all. Everything that I'm reading refers to Document Libraries but nothing about SharePoint List. It seems that this should work over a list,
but I'm hitting brick walls all the way around. Here is a copy of the question that I posed below under Todd.Wilder's post:
Hi,
Following this forum question/comment I am attempting to set the security on my Infopath form to Full Trust. But, I don't have the Security and Trust option. I can set the Trusted Location through the Trust Center but I can't find anywhere to set security.
I am using InfoPath 2010. What am I missing? Everything that I'm reading says that this is the problem and my error message is exactly like SomeGuy's message. One more piece to this is...this is a form over an Existing SharePoint List. I've found that I can
see the Security if I start InfoPath and start a New Blank Form, but by editing the form from a SharePont list, the option to edit Security is not there. HELP!!
I am following the instructions below that come from:
http://msdn.microsoft.com/en-us/library/ee526352.aspx
The InfoPath form designer automatically selects the appropriate security level (either Restricted or Domain) based on the features that you are using in the form. The security setting is always as restrictive as possible, starting at Restricted, to help
ensure a greater level of protection for you and your data. Users can manually override this automated setting to select a level of security that is more appropriate for the form by following these steps:
Click the File tab, and then click Form Options on theInfo tab.
In the Categories list, click Security and Trust.
Uncheck the Automatically determine security level (recommended) check box.
Select the desired security level.
Thank you,
~Tina~
~Tina~

The security level is set to High

Windows 2008R2 terminal Server
Office 2013
Adobe Acrobat XI update 9
When trying to create a PDF from a word document (have not tried other files yet), Adobe hangs for about 2 mins and then gives the following message
The Security Level is set to High
Please run the application which created this document, in the "Security Warning" dialog select the check box "Always trust macros from this source" and enable macro's created by Adobe Systems inc
No 1. There is absolutely no need for an apostrophe in the second instance of the word macros
Have deployed the Adobe Acrobat Administrative template and enabled the following setting
'Automatically Trust Sites for Win OS Security Zones' (Elevates the trusted sites list in Internet Explorer to privileged locations so that they may bypass enhanced security restrictions. When enabled, the trust list is a union of IE's trust list and Acrobat's privileged locations list. GUI mapping: Edit > Preferences > Security (Enhanced) > Automatically trust sites for my Win OS security zones)
- not a fix
Have exported every digital signature from the pdf office dlls and imported to the computer certificate store - not a fix
Have disabled every office macro and security setting - not a fix
Does not matter if the file being converted is on a UNC path, mapped drive, or local drive
Have added all file locations containing office docs to trusted folders in Word and Adobe - not a fix
R-Click context menus for combining and conversion work fine however I understand that this uses the Adobe PDF Printer and not the office addons
Opening a file in Word and converting to a PDF using the Addon is fine as is printing to the PDF Printer
This issue only occurs from within the Adobe Acrobat Application 'Create file from PDF' and currently only seems to affect Office documents
I cannot see how to give Adobe any more trust

Solved
I was running Office in a 'RunVirtual' environment. This man explains it best
http://ppe.blogs.technet.com/b/gladiatormsft/archive/2014/02/05/app-v-5-on-run-virtual-rds -run-virtual-virtualizable-ext…
Essentially Office and Acrobat are installed Natively however all Office Apps are configured to run in a Virtual environment so that Office Addins which are true AppV applications can be linked into Office.
My 'Empty' 'RunVirtual Office package did not have 'Com Integration' enabled
Adobe Acrobat makes use of a Com Addin for Office, so Office was unable to expose that to Adobe Acrobat until the 'Empty' 'RunVirtual Office package was updated accordingly

Setting field level security

I have created a form in LiveCycle in which two fields (Header and an Image block) need to be editable by one user type (e.g. power user), but should not be changeable by the end users. They will only be able to fill in other fields in the form. So far I have only been able to set form level security. Is there a way to apply security to just these two fields, perhaps requiring a password, so that the power user can update these two fields as needed?
Thanks for any ideas you might have!

Hi Diego,
Thanks for responding. We aren't using the LC PM module, so that takes one suggestion out of the running.
We tried some Javascript we found on the Acrobat forum (see below for what we used) - using it as an action with a bookmark, but it didn't work. The guy who wrote the script on that forum looked at our file and thought that the problem was likely because the form was developed in LiveCycle. We are not Java experts (or even close!), so we have no clue where to start. And unfortunately if we cannot find a solution for this dilemma, we will have to decline a project from a client.
So again, any thoughts or suggestions on where to go from here are greatly appreciated!
(function () {
    // Get one of the fields in the group
    var f = getField("private.name");
    // Determine new readonly state, which
    // is the opposite of the current state
    var readonly = !f.readonly;
    var readonly_desc = readonly ? "deactivate" : "activate";
    // Ask user for password
    var resp = app.response({
        cQuestion: "To " + readonly_desc + " the fields, enter the password:",
        cTitle: "Enter password",
        bPassword: true,
        cLabel: "Password"
    switch (resp) {
    case "your_password": // Your password goes here
        getField("private").readonly = readonly;
        app.alert("The fields are now " + readonly_desc + "d.", 3);
        break;
    case null : // User pressed Cancel button
        break;
    default : // Incorrect password
        app.alert("Incorrect password.", 1);
        break;
In this example, the fields that are controlled by this all have a field name prefix of "private", for example "private.name", "private.address", etc. This makes it easier to control the fields as a group, as I do in the line of code that begins: getField("private").readonly If you don't use such a field naming convention, you'd have to have a separate such line for each field in the group.
Replace "your_password" above with one of your own. The first and last lines are not necessary, but do prevent the needless creation of document-global variables, which is a good thing.

I'm getting an error "Security level is set to High..."

When I’m trying to combine multiple Word documents into a single PDF I’m getting an error "Security level is set to High...".
I regularly did this at my previous office, and the process involved dragging the Word doc’s from an Explorer window into an Adobe Acrobat window, then selecting ‘combine’; Acrobat would automatically open Word for each file, print it to the file it was building, then close Word and move on to the next file.
It appears that some setting on my new laptop is now different, either for Word or for Acrobat, but as usual, the error message is next to useless to fix the problem. There is no error message opening in Word, as the dialogue box suggests, and I can’t find any “Security Warning” dialogue box in Word. Where is the setting I need to fix?.
I am using Windows 7 with Word 2013 and Acrobat XI Pro.
-Michael

Hey Michael,
You might need to check the security level within Internet Explorer and ensure that both Download Signed ActiveX Controls and Run ActiveX Controls And Plug-ins are set to Prompt.
For this:
Open Internet Explorer. Go to Tools> Internet Options and click the Security tab.
Click Default Level, or click Custom Level and do the following:
a. Find the section ActiveX Controls And Plug-ins.
b. Set Download Signed ActiveX Controls to Prompt.
c. Set Run ActiveX Controls And Plug-ins to Prompt
Now check again and let me know if it works fine now.
Regards,
Anubha

Set security at app level

Hello, Is it possible to set security for a group at the application level so it automatically trickles down to the databases below (even new ones)? Thank you in advance.

We do use incremental dimension builds and we haven't seemed to have a problem about errors not written to the error log. There was a period when the write and append functions of the error logging were working backwards in MAXL, but that has long since been fixed. import database 'credits'.'credits' dimensions from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day7" using server rules_file 'store' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day7" using server rules_file 'acct' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day7" using server rules_file 'depts' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day6" using server rules_file 'store' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day6" using server rules_file 'acct' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day6" using server rules_file 'depts' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day5" using server rules_file 'store' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day5" using server rules_file 'acct' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day5" using server rules_file 'depts' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day4" using server rules_file 'store' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day4" using server rules_file 'acct' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day4" using server rules_file 'depts' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day3" using server rules_file 'store' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day3" using server rules_file 'acct' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day3" using server rules_file 'depts' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day2" using server rules_file 'store' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day2" using server rules_file 'acct' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day2" using server rules_file 'depts' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day1" using server rules_file 'store' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day1" using server rules_file 'acct' , from local text data_file "D:\\hyperion\\essbase\\app\\daily_05\\daily_05\\600$day1" using server rules_file 'depts' on error write to '3g.out'; This is a particularly nasty example of an incremental build, using daily data files to do the dimbuild but when we get errors, they seem to come from more than the last file parsed. If the on error write to isn't working for you, try the on error append to. Sometime in the not so distant past, the write and append functions were flopped causing a bug of the first degree. I'm no longer onitoring production processes, moving on to development and documentation, but I've written quite a bit of MAXL in the past and much prefer it to ESSCMD.

Combine functionality Batch Create Multiple files and Set Security

Greetings,
Is there any way to combine the functionality of Acrobat Pro’s “Batch Create Multiple Files” (File (drop down) -> Create PDF -> Batch Create Multiple Files…) and running a batch process (Advanced -> Document Processing -> Batch Processing -> Batch Sequences -> Set Security)?
Ideally I’d like to either:
1) Add the “Set Security” batch process to the “Batch Create Multiple Files … command located under the File (drop down) -> Create PDF
or
2) Be able to create a batch process that first allows me to select the documents (Word, Excel, etc.) I want to convert into PDF files, then converts them, then runs the Set Security batch process.
Right now it isn’t too much trouble to first “Create Multiple Files…” then run the batch process Set Security, but it would be nice to be able to do both with a single command.
Any suggestions?
Thank you,
TPK

I have uploaded the files and shared them. These are the links
Grade 11 Maths Standardisation Project Paper 2 2013.doc
https://files.acrobat.com/preview/9694310d-ca7f-4919-883d-c53b36215d89
Grade 11 Maths Standardisation Project Paper 2 Analysis Grid 2013.doc
https://files.acrobat.com/preview/97da9e5f-d412-4d25-9bbc-d1a525d90826
Grade 11 Maths Standardisation Project Paper 2 Diagram Sheet 2013.doc
https://files.acrobat.com/preview/f50dd62e-af04-4060-85c5-fa81ce6803d8
Grade 11 Maths Standardisation Project Paper 2 Formula Sheet 2013.doc
https://files.acrobat.com/preview/7fc6007b-aaa6-4d65-9a8c-bf99818474a5
Grade 11 Maths Standardisation Project Paper 2 Marking Guidelines 2013.doc
https://files.acrobat.com/preview/b3a715bb-3683-48df-b0ec-3d17442275be
Grade 11 Maths Standardisation Project Paper I Analysis Grid 2013.docx
https://files.acrobat.com/preview/ab62e6b6-0261-434e-8a2f-382f74335685
The first file is the problem file. If you create this file separately, Acrobat will convert it perfectly. But "Batch create multiple files" and the graphics are deconstructed on page 8

What does setting the internet zone security level to high actually do?

I was asked to set the Internet zone security level to high via a GPO, this has been done for a test group of users. The setting has been confirmed, but as far as I can see it has not actually done anything.
Can anyone tell me what changes I should see to the behavior and/or access of websites now the security level is set to high?

Hi,
Setting the internet zone security level to high might prevent harmful content with maximum safeguards and less secure features are disabled.
When you visit some sites with script pop up, the script will be disabled if you set the security level to the high level. For more information about
the internet zone security level, please refer to this:
http://blogs.technet.com/b/steriley/archive/2008/09/16/internet-explorer-security-levels-compared.aspx
Regards.

IE9 - Set Zone Security Level to Low

Hi,
I am trying to set the IE security Level to Low for Trusted Sites through GPO and Registry as well but still it doesnt apply.
I want to apply this setting for any user logging into the system.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

Hi Maqsood,
>>and when i run the rsop it shows the policy has applied but it doesnt reflect on the IE.
Did we try to use Group Policy Preferences Internet Settings extension to configure the setting? Besides, what's our domain environment? If we are using GPP to configure this setting, and our server are Windows Server 2008 R2 and clients are Windows 7, we
can try to install the hotfix in the following KB article.
Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment
http://support.microsoft.com/kb/2530309/en-us
Besides, if we used GPP to configure the security level setting, we need to make sure that the line under the setting was Green, or the setting would not get applied. If the line is not Green, we can press F6 to turn it to.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

Ms word95 to pdf - "security level too high"?

I'm a brand new user of Acrobat 9.0 (on XP system) - all kinds of problems (including major file crash and loss during 9.0 installation - more on that later). for now, I need to get started immediately on converting some MS Word doc files to pdfs - What I get from 9.0 is the message that "The Security Level is Too High". If it's referring to the MS word docs, they are unprotected (I've checked and tried several - Word shows they are not protected, and as far as I know, never have been). They were originally created on a mac with macWord - but were not protected and converted to windows with MacDrive7. They show in MS Word in good condition and unprotected. What do I need to do to get them into acrobat and into pdf format? I've also check the knowledge base here and elswhere without any clues except one chap who seemed to be having similar problems (along with serious crashes) using 8.1. Other than that, I'm mistified.
I've also tried using the context menu 'covert to pdf' method and also creating a new pdf (blank) and inserting them. In both cases the security message aborted the process. Need to do this right away. I'm not technically skilled, so if someone can give me some clear instructions I'd be grateful. - red

Thank you all for responding so quickly. First, I'll mention the serious message and a warning. DO NOT INSTALL ACROBAT 9.0 IN AN ENVIRONMENT WITH WORD 7.0 (or any old(er) MS Word version before 2k). The consequences are ghastly, including the deletion of half or more of your program files (including your email clients, av software and other primary programs), the corruption of your browser, registry (including restore points) and other not so nice events - worse than most bad viruses. That's a problem Adobe and I will probably be taking a look at next week. Mean time, they indicate that they are going to add the matter to their KB and elswhere so that users have a heads-up on the issue.
As for the conversion problem from Word 7.0 .doc to .pdf - Bill, you just about nailed it. It was, indeed, a problem that could be circumvented by going to the printer dialog and setting the printer to 'Adobe pdf file' (something a novice wouldn't think of, nor line tech-support for that matter.). As far as Word/pdf 'printer' is concerned you're just printing the file. However, as I understand things, that's how Adobe attaches the Word documents - It does it through the printer interface. Once that setting is changed to 'Adobe pdf printer' the file is simply picked from the print queue (or before) and loaded into A9. Save it from A9, and the job is done. So, Bill, If Adobe hadn't found the answer, I do believe you would have been telling me exactly how to do it after a few more posts. The credit, though, goes to Neo Johnson, tech-support supervisor in New Delhi. The last two days (almost 9 hours of phone time) were spent with various tech-support agents at Adobe; but, he was the one who finely thought about the interaction between A9 and Word and figured it out.
Ok -that's the brief. The rest is a little history/background for whomever is interested (skip, otherwise - not important). The problem begins with failure to install - first, setup can't find the msi file - it was there, and I browsed it, so that was solved. Then 'invalid licensing - process stopped' messages appear. That was a little tougher and http://kb2.adobe.com/cps/405/kb405970.html and some other articles had me doing repair, reinstall, and other complex (for me) procedures. One of the problems was that flexnet had failed to install, which was a stumper for me (I couldn't find it to download separately - barely knew what it was/did - and finally understood that Adobe was supposed to install it. After that, I did several uninstalls, to no effect. Finally I did a few moderate and then deep uninstalls (with Revo) and several reinstalls. Things got progressively worse. On one reboot, my desktop came up and all the program icons were broken links. I examined targets and such and then went to my 'program files' directory. To my horror, nearly all my primary program (including thunderbird email client, AVG etc.) files had disappeared. The folders were simply empty. Firefox still loaded, but the tabs were non functional. Several checks and some light disc analysis indicated the files vanished. No trace. However, my document folders and data were intact (also backed-up). I went to restore and found that all the old restore points (including the one's Revo sets before uninstalling) were gone. If it had been a virus, it couldn't have done a better job at making a mess of things. At that point, I knew the registry had been toasted and I was facing a complete OS reinstall. Instead, I opted for reinstalling some of the critical programs (and because the document files appeared to be intact). After the first few - thunderbird, firefox etc. - I was relieve to find that they were picking up on the old settings and restoring themselves to their previous states. I still have a number of these to do - and a few must be re-configured. But that's going ok.
Then the saga of Adobe, several phone calls; several times the phone connection was cut off and I had to call again and start over from the beginning with a new person. The matter always had to be esculated to the next tier - more time, more cues, no solutions. They went over the firefox settings, the adobe settings. They were puzzled about the broken links. Attempts to open doc files (after a fresh install of winword) were resulting in 'invalid win32 application'. All kinds of problems made progress difficult. We cleared up the 'invalid....' messages by reparing the file associations (in XP folder options) and then opening the docs in Word and resaving them as something else. It was a labor. Finally, there was simply no answer except, like the post here, Word 7 is simply too old and uses different scripting. The only solution was to either buy (ugh, ouch!) Word 2007 (and hope that it would load them and save them in A9 useable form) or, try installing Word2k (which I have) and processing them through that; and, then using Acrobat 8.x to load those and save the pdfs for A9 to use. However, when Adobe said they could not provide me with a free (even trial) version of 8.x to do the job - licensing problems etc. -- It seemed like a really ugly solution. Finally, I'm begging Adobe to give me a free copy of 8.x and in steps Neo. He can't provide the free copy, but he asks a few questions himself. We go to Adobe and reset some of the security settings (something other agents didn't know or think of). No dice - still can't load the docs. But then he says, Open up Word. Ok. load the file and then hit 'print' - ok, the print dialog comes up. 'Now,' he says, 'open the properties and see what printers are listed.' Ok I do that, and I'll be... 'Adobe pdf printer' is among them. "Just what I thought," he said, Adobe was hooking up with word, but didn't have its printer to attach." So we set 'Adobe pdf' as the printer and lo and behold, the docs loaded into Adobe as pdfs. End of that story. (so bill, you had it too - wish you had answered the phone in the first place!)
Clean up. So, there's a few simple solutions, I think (though i'm no techie and you folks will certainly have better ideas). First, I don't buy the story that early versions of Word are either 1) unsupported by MS or, 2) nobody uses them, as valid reasons why not to fix the problem of the "unloadable" docs. I figure there are at least a couple of aproaches and easy patches that will correct the matter. One is from the Word side - to is to set the current printer setting to use 'Adobe printer', get the file and then reset the printer back to what it was - default. The other is to patch A9 to detect legacy source applications and bypass things that would normally make the file unloadable, unless, of course, they were actually protected or, read only files. In that case, Adobe could simply inform the user to 'unprotect' them, the same as it now does with its 'Security Setting too High' message for later versions. I'm sure there are even better ways. But, that would fix things as far as file loading and conversion.
As to the installation and crash problems - those need to be addressed. Even if its only a few dozen people that might have the same problem, it needs 1) to be given as a noticable warning and keyword in Adobe documents (which now simply indicate that it can process .doc files); 2) it needs to be examined to insure systems that have Word 7.x or older can install without problem, and certainly without harming their system. Adobe has a good reputation and does a good job. That's worth protecting with all customers, even if Marketing can't quite see why and the bean counters can't find much profit in the task. It's what I expect from professionals and to do less certainly subtracts from Adobe's standing. That should be worth a great deal, I would imagine.
Anyway, thanks folks - got to get some sleept, and then get those pdfs done and sent to people who are waiting for them. - best to you all, red.

Security Level on Navigation (6.0 sp9)

I use a custom iview launch from the UWL. The custom iview comes up based off of the navigation from the default uwl screen. I am trying to code the cancel action of the custom iview.
I put a link on the page that has a reference back to the pcd location of the default page.
The portal is now complaining with the following error:
Access denied (Object(s): com.sap.portal.system/security/sap.com/NetWeaver.Portal/high_safety/com.sap.portal.runtime.system.console/components/default).
I tried to overide this by setting the security level in the portalapp.xml file to low_security.
 <component name="ApproveReject">
 <component-config>
 <property name="ClassName" value="ApproveReject"/>
 <property name="ComponentType" value="jspnative"/>
 <property name="JSP" value="pagelet/ApproveRejectJSP.jsp"/>
 <property name="SafetyLevel" value="low_safety"/>
 </component-config>
 <component-profile>
 <property name="tagLib" value="/SERVICE/htmlb/taglib/htmlb.tld"/>
 </component-profile>
 </component>
htmlb link code:
 <hbj:link
 id="backLink"
 text="Main Menu"
 target="_self"
 tooltip="Click to return to Main Menu"
 reference="pcd!3aportal_content!/portal_content/com.nexeninc.NEXEN/fld_tots/com.sap.netweaver.bc.uwl.uwl_page">
 </hbj:link>

i had applied the patch from note 796540. however, it dint seem to help (

ASA 5505 Interface Security Level Question

I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: end

Hi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni

Failed to set security on SQL Server registry key. Error: 2

Hi,
I have a Primary site (mixed mode) running SCCM 2007 SP1 for many months now with no issues.
This site is made up of two Win 2008 sp2 servers sharing the SCCM roles:-
SCCM01 - Site server, DP, RP, PXE and SQL2005 hosting the SCCM database
SCCM02 – SUP, MP, FSP, SLP
The SQL2005 on SCCM01 is running under a domain service account called
domain\service_sccm which is also a sysadmin in SQL as is the SCCM02 server.
In an effort to resolve the isse I have made this account a Domain Admin.
I have also used this account to log onto SEC01 to run the Secondary Site installation and to be the SQL Service account.
I'm now trying to add a Secondary Site on a Domain Controller called SEC01 (also Win2008 sp2) and on the same LAN as the SCCM01/02.
This is where I get problems.
I run the installation locally on the Sec Site server (DC) as a Domain Admin and the installation completes OK (all green ticks),
the ComponentSetup.log and Pre-Reqs are all good as well however when I check the ConfigMgrSetup.log I see the below -
Failed to set security on SQL Server registry key. Error: 2.
<11-09-2010 22:46:59> SMS Setup full version is 4.00.6221.1000
<11-09-2010 22:46:59> Successfully set security on Setup registry key.
<11-09-2010 22:46:59> Failed to set security on SQL Server registry key. Error: 2
<11-09-2010 22:46:59> Successfully set security on Identification registry key.
<11-09-2010 22:46:59> Creating SMS Inbox Source registry key ...
<11-09-2010 22:46:59> Installing SMS Site Component Manager ...
<11-09-2010 22:46:59> Installing Site Component Manager under acct <NT AUTHORITY\SYSTEM> path <C:\Program Files (x86)\Microsoft
Configuration Manager\bin\i386\sitecomp.exe>
<11-09-2010 22:47:01> Started Site Component Manager service
<11-09-2010 22:47:01> SMS Site Component Manager installation completed.
<11-09-2010 22:47:01> Done with service installation
Adding the PMP role to SEC01 also fails to install and no MPSetup or MPControl logs are created.
WebDav and win2008 roles, features all added and server fully patched.
Despooler.log on SCCM01 seems good and passing keys.
Tried installing to default path and to shortened path such as C:\SCCM
The new secondary site is listed in the console and an address can be added for the Secondary Site
BITS Server Extensions and Remote Differential Compression Features are enabled.
The Group memberships all appear ok:-
SCCM01
Local Admins
contains the sec site server SEC01, SCCM01, installation accounts
SMS_SiteToSiteConnection_001
SEC01 (the sec site server)
SMS_SiteSystemToSiteServerConnection_001
SCCM02
SEC01
No Local Admins as a DC
SMS_SiteToSiteConnection_002
SCCM01
SMS_SiteSystemToSiteServerConnection_002
empty
SQL 2005
This has the account logged in during installation as a sysadmin
SCCM02 is also sysadmin
The fundamental issue appears to be that the SEC01$ server account is not being added to SQL Logins (and therefore SCCM database Roles)
therefore the installation cannot complete.
I have tried to manually add the SEC01 account to SQL Logins before installation of Sec Site but this did not work.
Not sure if the fact that SEC01 is a DC may be a factor.
Appreciate any help if anyone has seen this before or can suggest a resolution.
Thanks

After a lot of digging around and head scratching I eventually found the resolution.
The original thread title Error turned out to be a bit of a red herring in that my failure to deploy Sec Sites came down to two separate issues seemingly unrelated to the error message of the thread title.
The first part of the resolution was to manually create the SQL Server accounts for the Sec Site Servers and assign them to the smsdbrole_MP DB role to
let the SQL side of the SCCM install complete a s these were not being created automatically.
This then left the fact that that the installation of the Sec Site completed successfully according to the install logs in C:\ however the DP and MP would
never install.
The big clue was eventually contained in the mpfdm.log errors relating to
**ERROR: Cannot find path for destination inbox SMS_AMT_PROXY_COMPONENT on server REGISTRY SMS_MP_FILE_DISPATCH_MANAGER
and
**ERROR: Cannot find path for destination inbox Asset Intelligence KB Manager on server REGISTRY SMS_MP_FILE_DISPATCH_MANAGER
Thankfully the errors led me to these two blogs:
http://myitforum.com/cs2/blogs/scassells/archive/2009/07/20/error-cannot-find-path-for-destination-inbox-sms-amt-proxy-component-on-server-registry.aspx
and
http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/5fcc53d4-8629-4b34-9eaa-6cb020eedc13/
As it turned out the SCCM installation registry and folder creation does not complete and I had to manually enter the reg settings as detailed in the
links above to complete the installation. Once I did as described everything worked a treat – all my MPs and DPs are 100% now.
Solutions
Add the following reg keys to each of your effected secondary sites.
Inbox Fix
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\MPFDM\Inboxes]
"Asset Intelligence KB Manager"="E:\\Program Files\\Microsoft Configuration Manager\\inboxes\\AIKbMgr.box"
"SMS_AMT_PROXY_COMPONENT"="E:\\Program Files\\Microsoft Configuration Manager\\inboxes\\amtproxy.box"
Asset Intelligence fix:
Note: you will need to identify the next largest key value.
In my example it was key 49
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Inbox Source\Inbox Definitions\49]
"Inbox Name"="Asset Intelligence KB Manager"
"Relative Path"="inboxes\\AIKbMgr.box"
"NAL Path"=""
"User Rights"=dword:00000000
"Service Rights"=dword:00000004
"Monitoring Enabled"=dword:00000001
"Location Type"=dword:00000001
"Guest Rights"=dword:00000001
AMT registry Fix.
 Note: you will need to identify the next largest key value.
In my example it was key 50
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Inbox Source\Inbox Definitions\50]
"Inbox Name"="SMS_AMT_PROXY_COMPONENT"
"Relative Path"="inboxes\\amtproxy.box"
"NAL Path"=""
"User Rights"=dword:00000000
"Service Rights"=dword:00000004
"Monitoring Enabled"=dword:00000001
"Location Type"=dword:00000001
"Guest Rights"=dword:00000001
Big thanks to Shaun Cassells and John Marcum for these blogs

ORA-20100: AppDomain could not be created for the specified security level

We recently updated our development environment to Visual Studio 2010. We have previously deployed (with success) .Net stored procedures from Visual Studio 2005 to our Oracle 10gR2 database. I am currently trying to configure a local instance (called local) of Oracle 10gR2 database to test deployment of .Net stored procedures to Oracle 10gR2 via Visual studio 2010 and ODT version 11.2.0.1.2. I have built the demo from the ode developer guide and gotten as far as deploying it but executing the stored procedures from VS 2010 or SQL*Plus produces the following error...
ORA-20100: AppDomain could not be created for the specified security level
ORA-06512: at "SYS.DBMS_CLR", line 152
ORA-06512: at "SCOTT.GETDEPTNO", line 7
Here is what I have done.
(Server)
1. Installed oracle 10gR2 with ODE.Net
2. Installed Oracle 10gR2 patch set 22
3. Installed ODE upgrade from Oracle Developer Tools for Visual Studio .NET with Oracle 10g Release 2 ODAC 10.2.0.2.21
(Client)
4. Installed Oracle Developer Tools for Visual Studio .NET with Oracle 10g Release 2 ODAC 10.2.0.2.21 (In new client home).
5. Installed patch set 22 on 10g client home.
6. Installed Oracle 11g Release 2 ODAC 11.2.0.1.2 with Oracle Developer Tools for Visual Studio(in new 11g client home, only for VS 2010)
I have made some minor changes (GAC) etc. per the following threads...
ODE.NET 11.1.0.7.20 on 10g Database?!
Re: Error: System.TypeInitializationException
The database appears to be fully functional via TOAD - SQL plus etc. I can't find much on this error but it appears Oracle needs some permissions to launch an ASP.Net application that it does not have. Any help would be GREATLY appreciated, don't hesitate to ask for additional details.

The KB article is almost what we have apart from theitalic underlined
part
Consider the following scenario:
You use a domain administrator account to log on to a computer that is running Windows 7 or Windows Server 2008 R2.
You use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to connect to a domain controller.
You open the Properties dialog box of a user account.
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
You set the Remote Desktop Services Home Folderattribute to the shared folder path.
NoteThis attribute is located on the
Remote Desktop Services Profiletab.
You click Apply or OK.
In this scenario, you receive the following error message:
The home folder could not be created because: The network name cannot be found.
Note If you click Apply or OK again, no error message is returned. However, the setting is not saved.
I think the important bit is
The user account has sole access to a shared folder path that cannot be accessed by the administrator account.
We manually create the shares on our NAS and then just want to enter the path in the profile tab, I suppose the question is how to we stop it trying to create the shares ?

Setting security level of infopath files

Similar Messages

Maybe you are looking for