Sign in authentication and cert questions!

Similar Messages

• Authentication and Authorization question.

  Hi All,
  I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
  Authentication.
  1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
  2. The end result of this process is true/false.
  Authorization.
  1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
  2. The end result of this process is true/false.
  Role mapping.
  1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
  2. The end result is list of roles for a user.
  Security policy configuration.
  Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
  Thanks,
  Prashanth Bhat.

  The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
  The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
  The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
  My question is whether thess(DAs and VEs) can also be put
  our datastore for access rights??
  Thanks,
  Prashanth Bhat.

• AAA authentication and authorization question

  Hi Everyone,
  I have a situation that is driving me crazy.
  I am using Cisco Freeware TACACS running on RedHat
  Enterprise Linux 3. I've modified the source code
  so that I can assign each individual users his/her
  own enable password. So far so good.
  I create two groups: group_A and group_S. group_A
  is for advanced users and group_S is for super
  users. Users that belong to group_A can have
  privilege level 15 but there are certain commands
  that they can not perform such as "write mem"
  or "reload". users that belong to group_S can do
  EVERYTHING.
  Here is my configuration on the TACACS configuration
  file:
  user = xyz {
  member = admin
  name = "User X"
  login = des 6.z8oIm9UGHo
  user = $xyz$ {
  member = admin
  name = "User X"
  login = des c2bUC43cmsac.
  user = abc {
  member = advanced
  name = "User abc"
  login = cleartext "cisco123"
  user = $abc$ {
  member = advanced
  name = "User abc"
  login = cleartext "cisco123"
  group = advanced {
  default service = deny
  cmd = show { permit .* }
  cmd = copy { permit flash }
  cmd = copy { permit running }
  cmd = ping { permit .* }
  cmd = configure { permit .* }
  cmd = enable { permit .* }
  cmd = disable { permit .* }
  cmd = telnet { permit .* }
  cmd = disconnect { permit .* }
  cmd = where { permit .* }
  cmd = set { permit .* }
  cmd = clear { permit line }
  cmd = exit { permit .* }
  group = admin {
  default service = permit
  configuration of the router:
  aaa new-model
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication login web local enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec TAC start-stop group tacacs+
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 TAC start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 TAC start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 10 TAC start-stop group tacacs+
  aaa accounting commands 15 TAC start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa session-id common
  line vty 0 15
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  However, what I would like to do is to assign users
  in group_A the ability to go into "configuration t"
  but I do NOT want them to have the ability to peform
  "no tacacs-server host x.x.x.x key cisco". Furthermore,
  I would like to do everything via TACACS, I don't
  want configure "privilege level" on the router itself.
  Is that possible? Thanks.
  David

  Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

• Authentication and Single Sign-On

  Does the Ironport support LDAP authentication with Single Sign-On. Or, is it only supported on NTLM? Can you setup multiple authentication realms to the same AD server, but call different AD groups? What I am trying to accomplish is to have single sign-on working and also have users places in certain access policies according to which AD group they are in. For instance, the marketing group would be placed into on access policy while HR would be place in another.

  Hello,
  Single Sign on is done on NTLM.
  If you go to your GUI? Top Right Hand side > Support and Help Dropdown >  Select On Line Help > Then search for working with authentication realms
  You will see as follows :
  An authentication realm is a set of  authentication servers (or a single server) supporting a single  authentication protocol with a particular configuration.
  You can perform any of the following tasks  when configuring authentication:
  Include up to three authentication  servers in a realm.
  Create zero or more LDAP  realms.
  Create zero or one NTLM  realm.
  Include an authentication server in  multiple realms.
  Include one or more realms in an  authentication sequence.
  Include realms of different  protocols in a single authentication  sequence.
  Assign a realm or a sequence to an  Access Policy group.
  You can do what you are trying to do with NTLM.
  I hope this answers your query.
  Regards,
  Eric

• Google 2 factor authentication and youtube sign in

  I recently enabled google's 2 factor authentication and now can't view my youtube content/subscriptions via apple tv, presumably because of this. The account password has remained the same.
  Is there a means to get around this?
  Thanks.
  (apple tv software is current)

  Unfortunately, I already tried this several times prior to posting here.  The system won't let me add the same account more than once, and continues to prompt me for a password multiple times for each service.

• Custom Authentication and Single Sign On

  Hello,
  I was wondering if it is possible to have an application that has custom authentication based on tables be used as a MAIN application and have links to other HTMLdb applications within it. Then when they logged into the main application, they would not have to log in again within the 2nd or 3rd application?
  regards,
  Jeff

  Well I finally got the main application to work with links to (2) other HTML db applications -- all 3 apps use the same custom authentication and within each apps authentication scheme the cookie name is the same.
  From the main application, my navigational list link URL's look like this:
  f?p=106:1:&SESSION. for one application
  f?p=121:1:&SESSION. for the second application
  Within each sub-application and in the authentication scheme I am using
  wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=200:1
  as the logout URL.
  The main app ID is hardcoded in the logout URL and when the user logs out of the application is taken to the main login of the main application.
  So the application is working fine -- only thing left is to change the invalid session URL in the applications and work on the frames design.
  Thanks for all of your help!
  Jeff

• Do I need and how to secure the Unix/Linux agents authentication and communication to RMS?

  Hi everybody
  We have an environment including SCOM 2012 SP1, 10 windows server, 40 linux servers and 10 HP-UX servers. all of them are joined a trusted domain. I know the authentication method between windows agents and management server is kerberos. but not for linux and
  HP-UX servers.
  Now I want to secure the Unix/Linux agents authentication and communication to RMS. some questions:
  1- how much secure and credible is current authentication method? and in a high secure environment can I trust SCOM self signed Certificates?
  2- Considering this point that Unix/linux computers are joined to active directory domain and are using Kerberos to authenticate, can I use this
  authentication method between RMS and linux Agents? 
  3- if I make a decision to use certificates should I use gateway server? (considering all servers and RMS are in same trusted domain)
  any other suggestion?
  Thanks in advance

  nothing?

• Wallet and Cert location with OHS in front of B2B

  Hi,
  I am trying to figure out how many and what types of Certs are needed as well as where the wallet should reside in the following scenario. We have a stand alone OHS in a public DMZ which is forwarding our inbound trading partner messages to the MidTier server which contains B2B. We have also configured B2B to use the public DMZ OHS as a proxy when sending outbound messages to the trading partners. The RosettaNet PIPs that we will be implementing require signing (non-repudiation), encryption and SSL.
  I assume that SSL must be enabled on the public DMZ OHS, but does it have to be enabled on the MidTier server as well? I believe that if we had to enable it on both servers, then different certs would be required for the different servers, but I am not sure.
  Also, we have to configure the outbound messages from our B2B with all of this (signing, encryption and SSL). Does this require a cert and wallet on the B2B server or on the OHS or both? I know that when configuring the trading partner within B2B, the cert must be accessed, but I am completely confused on if this is the cert that we use on OHS or something different.
  Thanks so much for any help you can provide!
  Darrin

  Hi Darrin,
  Certificates will be used at both OHS and Midtier. At OHS you are receiving incoming traffic so your server certificate should be there (in PKCS 12 format). From midtier, you are sending messages to your TP's (your Outbound), so your client certificate should be at Midtier at following location-
  Oracle_Home/Apache/Apache/conf/ssl.wlt/default
  At above location three files should be there-
  1. cwallet.sso
  2. ewallet.p12 (Your Client cert with all trading partners server cert public key in base 64 format including CA's cert as well)
  3 ewallet.txt (export of whole ewallet.p12 in ".txt" format)
  Give path of ewallet.txt in your tip.properties file.
  SSL would be enabled at both midtier and OHS, but if OHS is sending messages to midtier at HTTP port then do not enable transport security in your host tp's delivery channel.
  You have to upload certificates which will be used for siging and encryption at resepective tp's delivery channel.
  Wallets are used for client and server authentication and signing and encryption in outbound where as certs uploaded at tp's delivery channel are used for decrypting the incoming message as well as verifying the tp's signature in message.
  Regards,
  Anuj
  Edited by: Anuj Dwivedi on Feb 11, 2009 12:28 PM

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• How can i restore my iphone 5s as i forgot my icloud password and sec questions

  I bought a new iphone 5s  (32G Gold)
  and when I connect it to itunes asked me to restore from my old iphone 4
  with all my account settings and passwords.
  but I have a problem with my account for icloud password and security questions because my cloude id is *************** and with no problem with my apple id "*****************", I tried to restore my new iphone after I turned off find my iphone from icloud setting and when its restore was finished the iphone is locked and asked me to unlock the iphone with a ****************** that I forget the password and security questions and when I tried to enter my account id "**************** with no problem with its password it says to me "this account can't unlock this iphone"
  when I visit tradeline (Apple products dealer) I found no answer and they adviced me to contact apple directly.
  Name : Alaa Rashed Abd el Hafiz
  Country : egypt
  <Personal Information Edited by Host>

  First, remove your personal information from your post.  That's not needed here.  This is a public forum, and it is unwise to provide your personal data online.
  Second, here's how you reset your password and/or security questions.
  How to reset your Apple ID password.
  Go to iforgot.apple.com and type in your Apple ID, then click 'Next'.
  Verify your date of birth, then click 'Next'.
  You'll be able to choose one of two methods to reset your password, either E-Mail Authentication or Answer Security Questions.
  If neither method works, then go to https://getsupport.apple.com
  (If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
  Choose 'More Products & Services', then 'Apple ID'.
  A new page will open.
  Choose 'Other Apple ID Topics', then 'Lost or forgotten Apple ID password'.
  Click the blue 'Continue' button.
  Select the contact option that suits your needs best.
  How to reset your Apple ID security questions.
  Go to appleid.apple.com, click on the blue button that says 'Manage Your Apple ID'.
  Log in with your Apple ID and password. (If you have forgotten your Apple ID password, go to iforgot.apple.com first to reset your password with a password recovery email)
  Go to the Password & Security section on the left side, and click on the link underneath the security questions that says 'Forgot your answers? Send reset security info email to [email]'.  This will generate an automated e-mail that will allow you to reset your security questions.
  If that doesn't work, or  there is no rescue email link available, then click on 'Temporary Support PIN' that is in the bottom left side, and generate a 4-digit PIN for the Apple Account Security Advisor you will be contacting later.
  Next, go to https://getsupport.apple.com
  (If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
  Choose 'More Products & Services', then 'Apple ID'.
  A new page will open.
  Choose 'Other Apple ID Topics', then 'Forgotten Apple ID Security Questions'.
  Click the blue 'Continue' button.
  Select the contact option that suits your needs best.

• Advice needed for provider hosted web application - authentication and access to SharePoint document library

  I haven't done SharePoint 2013 development with claims so I apologize in advance if my assumptions and questions are way out in left field.
  I'm trying to understand SharePoint 2013 claims authentication for a scenario that involves:
  A SharePoint provided hosted (web forms) app that will pull information and assets (e.g. PDFs) from SharePoint into the web page.
  It will be a VS 2012 solution with asp.net.identity feature.
  Security will be set for internal users, federated external users and forms-based external users.  Based on their security and (claim type) role it will define what information and assets that can be retrieved from SharePoint
  I have looked through MSDN and other sources to understand.
  This one helped with my understanding 
  Federated Identity for Web Applications and assumed that the general concept could be applied to forms-based identity for non-Federated external users .
  What I have now:
  VS 2012 solution web forms application set to Provider Host with asp.net.identity feature and its required membership tables.
  I can create new users and associate claims to the new user.
  I can log in with a user from the membership tables and it will take me to a default.aspx page.  I have added code to it that displays the claims associated to a user.
  For POC purposes I'd like to retrieve documents that are associated to this user from the default.aspx page.
  This is where I am having trouble understanding:  Is my understand correct?
  Internal users
  since they are internal on the network i am assuming that they would already have access to SharePoint and they would already be configured to what documents that they have available to them.
  Federated external users & Forms authentication external users
  it seems to me that the authentication for external users are separate from SharePoint authentication process.
  changes to the configuration settings are necessary in SharePoint, IIS, web application.
  I believe this is what i read.
  claims processes (e.g. mappings) need to be set up in SharePoint
  as long as external users are authenticated then things are ok b/c they would have claims associated to the user and the configuration in SharePoint takes are of the rest.
  This statement bothers me because I think it's wrong.
  So basically i'm stuck with if my understanding is correct: once a user is authenticated either by federated identity or asp.net.identity authentication that it should go to the provider hosted default.aspx page because the claim is authenticated and means
  that it should have access to it and the SharePoint document library based on some claim property.  I could then write the calls to retrieve from a document library and SharePoint will know based on some claim property that the logged in user can only
  access certain documents.
  It just sounds too good to be true and that i'm missing something in the thought process.
  Thanks in advance for taking the time to read.
  greenwasabi

  Hi GreenWasabi,
  i agree this is an interesting topic to discuss,
  as you can check from the article, you may check this example from the codeplex:http://claimsid.codeplex.com/
  when i thinking regarding this topic, its looks like an environment with multiple of realms,
  from what you understand, its correct that all the authentication is based from the provider, so for example i have a windows live ID and internal ID, then when i login windows live ID, it will be authenticated using windows live ID server.
  here is the example for the webservice:
  http://claimsid.codeplex.com/wikipage?title=Federated%20Identity%20for%20Web%20Services&referringTitle=Home
  as i know, if you using this federated, i am not quite sure that you will need to go to the provider page literally, perhaps you can check this example if we are using azure:
  http://social.technet.microsoft.com/wiki/contents/articles/22309.integrating-windows-live-id-google-and-facebook-accounts-with-sharepoint-2013-white-paper.aspx
  Regards,
  Aries
  Microsoft Online Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• When trying to sign out of Hotmail the "back navigation button" remains green and I have to click sign out again and the same thing happens over and over and the only way to close Hotmail is to go to File and Close Frame, so what's my problem?

  When I attempt to sign out of Hot Mail by clicking "Sign Out," I get the "Sign In" instruction as I always have, however, the green Firefox navigation button remains on bright green (not going to gray) and my MSN home page will not close automatically as usual. I click on the green arrow and I get an instruction to "Sign Out" again. I click on that and get the "Sign In" again but the arrow stays green. I can repeat this countless times and never get signed out and always remaining on the MSN home page. The only way I can close is to go to File and click on Close Window and then my homepage will close and go back to desktop. I've been using Firefox for a couple of years now (IE prior to that for ten years) and have never had this problem. After using "Close Window" I go back onto my home page, from the desktop, and the navigation button is grayed out normally until I sign in again and we start the cycle over again. Have I been hacked?
  == This happened ==
  Every time Firefox opened
  == Approximately a month ago.

  I was doing a side-by-side comparison of the new and old server (we backed up the server before the reformat) and I can see that, evidently, CR XI was installed.  We have the directory C:\Program Files\Common Files\Business Objects\3.0 and all the versions match what is located in the project's bin directory.  Does this confirm that I did have XI installed and licensed at one time?
  If I purchase a more recent version, couldn't I update the reports to use the newer version?  I have all the source code.
  Thanks for your help, it is a nice sanity check for me after hours of reading forums and documentation.
  Also, just a shot in the dark, but I'm assuming it wouldn't do me any good to simply restore the aforementioned folder to my C drive?  Would that work if I registered all the dll's?
  Edited by: Eric Hollering on Dec 2, 2009 6:40 PM
  To be clear, I do have VS 2003 & 2005, and I have the source code.  I just have never used Crystal Reports in any of my .NET apps because the need wasn't there, so recompiling is not out of the question.
  Edited by: Eric Hollering on Dec 2, 2009 6:49 PM
  Also, I looked at the CrystalDecisions.CrystalReports.Engine.dll that was in the C:\Program Files\Common Files\Business Objects\3.0\Managed folder and when I right-click and view the properties, then the Version tab, in addition to the 11.0.9500.2 version number, there is a property called Product Version that has the value .NET.  Does that mean that this dll was bundled with Visual Studio?
  I also found this directory on the old server...does this tell you anything?
  C:\Program Files\Business Objects\BusinessObjects Enterprise 11
  I did see that you can still buy XI from CDW.  I have a call into them currently to check with Business Objects for any registrations from my company.
  Edited by: Eric Hollering on Dec 2, 2009 8:27 PM

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• 2 Factor Authentication and MacBook Pro

  Hi Guys,
  Is it possible to have a MacBook Pro as a trusted device for two factor authentication?
  I am signed into iCloud and 'Find my Mac' on my MBP, however it is not displaying along side my iPad and iPhone as a potential trusted device.
  Googled about can't find anything confirming?
  Thanks,
  Regards,
  John

  Unfortunately, I already tried this several times prior to posting here.  The system won't let me add the same account more than once, and continues to prompt me for a password multiple times for each service.

• Open Directory and LDAP questions/difficulties

  Hi, my company is about to try out OSX Server to replace our old Irix file server. In order to do this we need to run through a number of tests in order to validate the idea. Basically, the test setup is a PM G5 running OSX Server 10.4 and a connected Mac and/or PC on the G5's second ethernet port as test clients. The first ethernet port is connected to the local subnet (192.168.1.x) and, ideally, the OSX Server should have its own subnet on the second port and serve DHCP, AFP and SMB to that port only, along with an OD shared directory providing both authentication and home directories for users. (later on, if all is successful, it will serve those services on the company subnet). DNS is supplied by a separate server on the subnet (DNS caching server running tinydns)
  I've read my way through the OSX Server documentation, and gathered all the information the Worksheet requires. The problems started occuring because we installed OSX Server over an OSX Client and broke off the Server Assistent, because we were worried at the time that turning on a Windows PDC would collide with our current (and very flaky) Samba server running on the Irix machine, and that DHCP might also collide with our current dhcp server.
  As a consequence, we tried to set it up via the Server Admin Panel, Network Prefs, and the Workgroup Manager, after having connected the second ethernet port of the G5.
  Doing this, and setting the OD service to an OD Master, along with a Search base of dc=hostname, dc=domain, dc=tld has not exactly changed much. The problem is that the info panel says that LDAP is not running. This confuses me no end. I thought OD was based upon LDAP. The server name in the Server Admin panel is hostname.local. And now I get to my real questions (finally):
  1.Would it be better to just wipe the machine and start again using the Assistent, and set up the ODMaster that way?
  2.When is an ODMaster not a local directory and when is it a shared directory (the hostname.local worries me)
  3.What services exactly need to be running for the ODMaster to function properly
  3.How do I configure the local subnet on the second port (should I use the Gateway Assistent or do it by hand), and how do I only serve those services to that port (do I do it by setting the router/gateway for those services as the IP of the second port or as localhost).
  4.Do I need to simply enable LDAPv3 on the clients and set the search path to automatic to get the clients to Autheticate?
  5.Do user and groups added to the hostname.local become part of the OD Domain?
  I'm sorry if I come across as a total newbie. I'm used to doing most of this on the commandline in Linux (except for LDAP, which is new to me), and the GUI. I have managed to entangle myself quite nicely in all this and could really use some pointers.
  Thanks in advance
  Theo.
  PowerBook G4   Mac OS X (10.4.7)  

  1. Starting with a freshly installed OS X Server is recommended, but start no services at first, you need working DNS with reverse zone for the server IP to run OD Master (and other services). If the server domain is to be different from the existing network domain name setup DNS in OS X for the test domain.
  2. I'm not sure I understand the question. LDAP/OD can be used on the server to "house" the user accounts but you don't have to bind computers to it.
  If you don't use the more advanced possibilities with LDAP/OD I don't think the clients even need to have LDAP configured to be able to authenticate.
  hostname.local = hostname and the standard Bonjour domainname .local ?
  3a. DNS, so that reverse lookup works for the hostname before setting up OD Master. OD needs a "true" domainname Bonjour isn't sufficient. Setup/use something like mydomain.private.
  3b. You don't need to do NAT, you can also route between two subnets (you would need a static route in your Internet router too).
  If you want NAT you can use the GW assistant. The interface on the top of the list in Network config (where you can add more/alias interfaces) is the "main" interface used as the "WAN"/"Internet" interface.
  4. If the clients are "standalone" (not bound to the OD domain or not using server based homefolders and such) I think you only need LDAP if you want the clients to be able to search for info in OD/LDAP. Not needed for authentication.
  You can send out LDAP info with DHCP.
  5. If you mean you add/enter users and groups to OD/LDAP directory it just means you can have different servers/clients using a central repository(?) for authentication purposes.
  If you add (bind) machines to the domain you can to control what clients can do locally (priviledges), which applications they can run and so forth.
  In /etc/smb.conf you can say which interface to use för samba (don't remember what to enter though). And if using the firewall (you must if you want NAT) you can stop Bonjour (mDNS - multicasts) from entering the "old" network if you like/need.