Sign in authentication and cert questions!
Hi guys,
I have read this Lync 2010 article: http://blogs.technet.com/b/nexthop/archive/2012/11/28/lync-2010-client-authentication.aspx
It states that for internal users one use kerberos v5, tls-dsk and ntlm v2, and for extenral users on use tls-dsk and ntlm v2.
Once one have authenticated one will retrieve a certificate that is valid for 180 days.
Now... is this valid for Lync client/server 2013 as well? or is there something new? I cannot find this information on technet...
For the serverpart one use OAuth i guess?
Hi,
Yes, client-server authentication is the same with mechanism for Lync 2010.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Similar Messages
-
Authentication and Authorization question.
Hi All,
I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
Authentication.
1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
2. The end result of this process is true/false.
Authorization.
1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
2. The end result of this process is true/false.
Role mapping.
1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
2. The end result is list of roles for a user.
Security policy configuration.
Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
Thanks,
Prashanth Bhat.The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
My question is whether thess(DAs and VEs) can also be put
our datastore for access rights??
Thanks,
Prashanth Bhat. -
AAA authentication and authorization question
Hi Everyone,
I have a situation that is driving me crazy.
I am using Cisco Freeware TACACS running on RedHat
Enterprise Linux 3. I've modified the source code
so that I can assign each individual users his/her
own enable password. So far so good.
I create two groups: group_A and group_S. group_A
is for advanced users and group_S is for super
users. Users that belong to group_A can have
privilege level 15 but there are certain commands
that they can not perform such as "write mem"
or "reload". users that belong to group_S can do
EVERYTHING.
Here is my configuration on the TACACS configuration
file:
user = xyz {
member = admin
name = "User X"
login = des 6.z8oIm9UGHo
user = $xyz$ {
member = admin
name = "User X"
login = des c2bUC43cmsac.
user = abc {
member = advanced
name = "User abc"
login = cleartext "cisco123"
user = $abc$ {
member = advanced
name = "User abc"
login = cleartext "cisco123"
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
group = admin {
default service = permit
configuration of the router:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa session-id common
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
However, what I would like to do is to assign users
in group_A the ability to go into "configuration t"
but I do NOT want them to have the ability to peform
"no tacacs-server host x.x.x.x key cisco". Furthermore,
I would like to do everything via TACACS, I don't
want configure "privilege level" on the router itself.
Is that possible? Thanks.
DavidCommand Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html -
Authentication and Single Sign-On
Does the Ironport support LDAP authentication with Single Sign-On. Or, is it only supported on NTLM? Can you setup multiple authentication realms to the same AD server, but call different AD groups? What I am trying to accomplish is to have single sign-on working and also have users places in certain access policies according to which AD group they are in. For instance, the marketing group would be placed into on access policy while HR would be place in another.
Hello,
Single Sign on is done on NTLM.
If you go to your GUI? Top Right Hand side > Support and Help Dropdown > Select On Line Help > Then search for working with authentication realms
You will see as follows :
An authentication realm is a set of authentication servers (or a single server) supporting a single authentication protocol with a particular configuration.
You can perform any of the following tasks when configuring authentication:
Include up to three authentication servers in a realm.
Create zero or more LDAP realms.
Create zero or one NTLM realm.
Include an authentication server in multiple realms.
Include one or more realms in an authentication sequence.
Include realms of different protocols in a single authentication sequence.
Assign a realm or a sequence to an Access Policy group.
You can do what you are trying to do with NTLM.
I hope this answers your query.
Regards,
Eric -
Google 2 factor authentication and youtube sign in
I recently enabled google's 2 factor authentication and now can't view my youtube content/subscriptions via apple tv, presumably because of this. The account password has remained the same.
Is there a means to get around this?
Thanks.
(apple tv software is current)Unfortunately, I already tried this several times prior to posting here. The system won't let me add the same account more than once, and continues to prompt me for a password multiple times for each service.
-
Custom Authentication and Single Sign On
Hello,
I was wondering if it is possible to have an application that has custom authentication based on tables be used as a MAIN application and have links to other HTMLdb applications within it. Then when they logged into the main application, they would not have to log in again within the 2nd or 3rd application?
regards,
JeffWell I finally got the main application to work with links to (2) other HTML db applications -- all 3 apps use the same custom authentication and within each apps authentication scheme the cookie name is the same.
From the main application, my navigational list link URL's look like this:
f?p=106:1:&SESSION. for one application
f?p=121:1:&SESSION. for the second application
Within each sub-application and in the authentication scheme I am using
wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=200:1
as the logout URL.
The main app ID is hardcoded in the logout URL and when the user logs out of the application is taken to the main login of the main application.
So the application is working fine -- only thing left is to change the invalid session URL in the applications and work on the frames design.
Thanks for all of your help!
Jeff -
Do I need and how to secure the Unix/Linux agents authentication and communication to RMS?
Hi everybody
We have an environment including SCOM 2012 SP1, 10 windows server, 40 linux servers and 10 HP-UX servers. all of them are joined a trusted domain. I know the authentication method between windows agents and management server is kerberos. but not for linux and
HP-UX servers.
Now I want to secure the Unix/Linux agents authentication and communication to RMS. some questions:
1- how much secure and credible is current authentication method? and in a high secure environment can I trust SCOM self signed Certificates?
2- Considering this point that Unix/linux computers are joined to active directory domain and are using Kerberos to authenticate, can I use this
authentication method between RMS and linux Agents?
3- if I make a decision to use certificates should I use gateway server? (considering all servers and RMS are in same trusted domain)
any other suggestion?
Thanks in advancenothing?
-
Wallet and Cert location with OHS in front of B2B
Hi,
I am trying to figure out how many and what types of Certs are needed as well as where the wallet should reside in the following scenario. We have a stand alone OHS in a public DMZ which is forwarding our inbound trading partner messages to the MidTier server which contains B2B. We have also configured B2B to use the public DMZ OHS as a proxy when sending outbound messages to the trading partners. The RosettaNet PIPs that we will be implementing require signing (non-repudiation), encryption and SSL.
I assume that SSL must be enabled on the public DMZ OHS, but does it have to be enabled on the MidTier server as well? I believe that if we had to enable it on both servers, then different certs would be required for the different servers, but I am not sure.
Also, we have to configure the outbound messages from our B2B with all of this (signing, encryption and SSL). Does this require a cert and wallet on the B2B server or on the OHS or both? I know that when configuring the trading partner within B2B, the cert must be accessed, but I am completely confused on if this is the cert that we use on OHS or something different.
Thanks so much for any help you can provide!
DarrinHi Darrin,
Certificates will be used at both OHS and Midtier. At OHS you are receiving incoming traffic so your server certificate should be there (in PKCS 12 format). From midtier, you are sending messages to your TP's (your Outbound), so your client certificate should be at Midtier at following location-
Oracle_Home/Apache/Apache/conf/ssl.wlt/default
At above location three files should be there-
1. cwallet.sso
2. ewallet.p12 (Your Client cert with all trading partners server cert public key in base 64 format including CA's cert as well)
3 ewallet.txt (export of whole ewallet.p12 in ".txt" format)
Give path of ewallet.txt in your tip.properties file.
SSL would be enabled at both midtier and OHS, but if OHS is sending messages to midtier at HTTP port then do not enable transport security in your host tp's delivery channel.
You have to upload certificates which will be used for siging and encryption at resepective tp's delivery channel.
Wallets are used for client and server authentication and signing and encryption in outbound where as certs uploaded at tp's delivery channel are used for decrypting the incoming message as well as verifying the tp's signature in message.
Regards,
Anuj
Edited by: Anuj Dwivedi on Feb 11, 2009 12:28 PM -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
How can i restore my iphone 5s as i forgot my icloud password and sec questions
I bought a new iphone 5s (32G Gold)
and when I connect it to itunes asked me to restore from my old iphone 4
with all my account settings and passwords.
but I have a problem with my account for icloud password and security questions because my cloude id is *************** and with no problem with my apple id "*****************", I tried to restore my new iphone after I turned off find my iphone from icloud setting and when its restore was finished the iphone is locked and asked me to unlock the iphone with a ****************** that I forget the password and security questions and when I tried to enter my account id "**************** with no problem with its password it says to me "this account can't unlock this iphone"
when I visit tradeline (Apple products dealer) I found no answer and they adviced me to contact apple directly.
Name : Alaa Rashed Abd el Hafiz
Country : egypt
<Personal Information Edited by Host>First, remove your personal information from your post. That's not needed here. This is a public forum, and it is unwise to provide your personal data online.
Second, here's how you reset your password and/or security questions.
How to reset your Apple ID password.
Go to iforgot.apple.com and type in your Apple ID, then click 'Next'.
Verify your date of birth, then click 'Next'.
You'll be able to choose one of two methods to reset your password, either E-Mail Authentication or Answer Security Questions.
If neither method works, then go to https://getsupport.apple.com
(If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
Choose 'More Products & Services', then 'Apple ID'.
A new page will open.
Choose 'Other Apple ID Topics', then 'Lost or forgotten Apple ID password'.
Click the blue 'Continue' button.
Select the contact option that suits your needs best.
How to reset your Apple ID security questions.
Go to appleid.apple.com, click on the blue button that says 'Manage Your Apple ID'.
Log in with your Apple ID and password. (If you have forgotten your Apple ID password, go to iforgot.apple.com first to reset your password with a password recovery email)
Go to the Password & Security section on the left side, and click on the link underneath the security questions that says 'Forgot your answers? Send reset security info email to [email]'. This will generate an automated e-mail that will allow you to reset your security questions.
If that doesn't work, or there is no rescue email link available, then click on 'Temporary Support PIN' that is in the bottom left side, and generate a 4-digit PIN for the Apple Account Security Advisor you will be contacting later.
Next, go to https://getsupport.apple.com
(If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
Choose 'More Products & Services', then 'Apple ID'.
A new page will open.
Choose 'Other Apple ID Topics', then 'Forgotten Apple ID Security Questions'.
Click the blue 'Continue' button.
Select the contact option that suits your needs best. -
I haven't done SharePoint 2013 development with claims so I apologize in advance if my assumptions and questions are way out in left field.
I'm trying to understand SharePoint 2013 claims authentication for a scenario that involves:
A SharePoint provided hosted (web forms) app that will pull information and assets (e.g. PDFs) from SharePoint into the web page.
It will be a VS 2012 solution with asp.net.identity feature.
Security will be set for internal users, federated external users and forms-based external users. Based on their security and (claim type) role it will define what information and assets that can be retrieved from SharePoint
I have looked through MSDN and other sources to understand.
This one helped with my understanding
Federated Identity for Web Applications and assumed that the general concept could be applied to forms-based identity for non-Federated external users .
What I have now:
VS 2012 solution web forms application set to Provider Host with asp.net.identity feature and its required membership tables.
I can create new users and associate claims to the new user.
I can log in with a user from the membership tables and it will take me to a default.aspx page. I have added code to it that displays the claims associated to a user.
For POC purposes I'd like to retrieve documents that are associated to this user from the default.aspx page.
This is where I am having trouble understanding: Is my understand correct?
Internal users
since they are internal on the network i am assuming that they would already have access to SharePoint and they would already be configured to what documents that they have available to them.
Federated external users & Forms authentication external users
it seems to me that the authentication for external users are separate from SharePoint authentication process.
changes to the configuration settings are necessary in SharePoint, IIS, web application.
I believe this is what i read.
claims processes (e.g. mappings) need to be set up in SharePoint
as long as external users are authenticated then things are ok b/c they would have claims associated to the user and the configuration in SharePoint takes are of the rest.
This statement bothers me because I think it's wrong.
So basically i'm stuck with if my understanding is correct: once a user is authenticated either by federated identity or asp.net.identity authentication that it should go to the provider hosted default.aspx page because the claim is authenticated and means
that it should have access to it and the SharePoint document library based on some claim property. I could then write the calls to retrieve from a document library and SharePoint will know based on some claim property that the logged in user can only
access certain documents.
It just sounds too good to be true and that i'm missing something in the thought process.
Thanks in advance for taking the time to read.
greenwasabiHi GreenWasabi,
i agree this is an interesting topic to discuss,
as you can check from the article, you may check this example from the codeplex:http://claimsid.codeplex.com/
when i thinking regarding this topic, its looks like an environment with multiple of realms,
from what you understand, its correct that all the authentication is based from the provider, so for example i have a windows live ID and internal ID, then when i login windows live ID, it will be authenticated using windows live ID server.
here is the example for the webservice:
http://claimsid.codeplex.com/wikipage?title=Federated%20Identity%20for%20Web%20Services&referringTitle=Home
as i know, if you using this federated, i am not quite sure that you will need to go to the provider page literally, perhaps you can check this example if we are using azure:
http://social.technet.microsoft.com/wiki/contents/articles/22309.integrating-windows-live-id-google-and-facebook-accounts-with-sharepoint-2013-white-paper.aspx
Regards,
Aries
Microsoft Online Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
When I attempt to sign out of Hot Mail by clicking "Sign Out," I get the "Sign In" instruction as I always have, however, the green Firefox navigation button remains on bright green (not going to gray) and my MSN home page will not close automatically as usual. I click on the green arrow and I get an instruction to "Sign Out" again. I click on that and get the "Sign In" again but the arrow stays green. I can repeat this countless times and never get signed out and always remaining on the MSN home page. The only way I can close is to go to File and click on Close Window and then my homepage will close and go back to desktop. I've been using Firefox for a couple of years now (IE prior to that for ten years) and have never had this problem. After using "Close Window" I go back onto my home page, from the desktop, and the navigation button is grayed out normally until I sign in again and we start the cycle over again. Have I been hacked?
== This happened ==
Every time Firefox opened
== Approximately a month ago.I was doing a side-by-side comparison of the new and old server (we backed up the server before the reformat) and I can see that, evidently, CR XI was installed. We have the directory C:\Program Files\Common Files\Business Objects\3.0 and all the versions match what is located in the project's bin directory. Does this confirm that I did have XI installed and licensed at one time?
If I purchase a more recent version, couldn't I update the reports to use the newer version? I have all the source code.
Thanks for your help, it is a nice sanity check for me after hours of reading forums and documentation.
Also, just a shot in the dark, but I'm assuming it wouldn't do me any good to simply restore the aforementioned folder to my C drive? Would that work if I registered all the dll's?
Edited by: Eric Hollering on Dec 2, 2009 6:40 PM
To be clear, I do have VS 2003 & 2005, and I have the source code. I just have never used Crystal Reports in any of my .NET apps because the need wasn't there, so recompiling is not out of the question.
Edited by: Eric Hollering on Dec 2, 2009 6:49 PM
Also, I looked at the CrystalDecisions.CrystalReports.Engine.dll that was in the C:\Program Files\Common Files\Business Objects\3.0\Managed folder and when I right-click and view the properties, then the Version tab, in addition to the 11.0.9500.2 version number, there is a property called Product Version that has the value .NET. Does that mean that this dll was bundled with Visual Studio?
I also found this directory on the old server...does this tell you anything?
C:\Program Files\Business Objects\BusinessObjects Enterprise 11
I did see that you can still buy XI from CDW. I have a call into them currently to check with Business Objects for any registrations from my company.
Edited by: Eric Hollering on Dec 2, 2009 8:27 PM -
I want to integrate SMS gateway to Cisco ISE 1.2 and my question is
SMS notifications are supported for Guest self−registration Services ? or it should be done by SponsorI'm not sure I understand the question. Do you want to log in to the Sponsor Portal using AD credentials?
Create an Identity Source Sequence using AD as an Authentication Source. Go to Administration > Identity Management > Identity Source Sequences. Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings. Double-click Sponsor from the Left Menu and click Authentication Source. Choose the Identity Source Sequence. Click Save.
I hope this helps.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
2 Factor Authentication and MacBook Pro
Hi Guys,
Is it possible to have a MacBook Pro as a trusted device for two factor authentication?
I am signed into iCloud and 'Find my Mac' on my MBP, however it is not displaying along side my iPad and iPhone as a potential trusted device.
Googled about can't find anything confirming?
Thanks,
Regards,
JohnUnfortunately, I already tried this several times prior to posting here. The system won't let me add the same account more than once, and continues to prompt me for a password multiple times for each service.
-
Open Directory and LDAP questions/difficulties
Hi, my company is about to try out OSX Server to replace our old Irix file server. In order to do this we need to run through a number of tests in order to validate the idea. Basically, the test setup is a PM G5 running OSX Server 10.4 and a connected Mac and/or PC on the G5's second ethernet port as test clients. The first ethernet port is connected to the local subnet (192.168.1.x) and, ideally, the OSX Server should have its own subnet on the second port and serve DHCP, AFP and SMB to that port only, along with an OD shared directory providing both authentication and home directories for users. (later on, if all is successful, it will serve those services on the company subnet). DNS is supplied by a separate server on the subnet (DNS caching server running tinydns)
I've read my way through the OSX Server documentation, and gathered all the information the Worksheet requires. The problems started occuring because we installed OSX Server over an OSX Client and broke off the Server Assistent, because we were worried at the time that turning on a Windows PDC would collide with our current (and very flaky) Samba server running on the Irix machine, and that DHCP might also collide with our current dhcp server.
As a consequence, we tried to set it up via the Server Admin Panel, Network Prefs, and the Workgroup Manager, after having connected the second ethernet port of the G5.
Doing this, and setting the OD service to an OD Master, along with a Search base of dc=hostname, dc=domain, dc=tld has not exactly changed much. The problem is that the info panel says that LDAP is not running. This confuses me no end. I thought OD was based upon LDAP. The server name in the Server Admin panel is hostname.local. And now I get to my real questions (finally):
1.Would it be better to just wipe the machine and start again using the Assistent, and set up the ODMaster that way?
2.When is an ODMaster not a local directory and when is it a shared directory (the hostname.local worries me)
3.What services exactly need to be running for the ODMaster to function properly
3.How do I configure the local subnet on the second port (should I use the Gateway Assistent or do it by hand), and how do I only serve those services to that port (do I do it by setting the router/gateway for those services as the IP of the second port or as localhost).
4.Do I need to simply enable LDAPv3 on the clients and set the search path to automatic to get the clients to Autheticate?
5.Do user and groups added to the hostname.local become part of the OD Domain?
I'm sorry if I come across as a total newbie. I'm used to doing most of this on the commandline in Linux (except for LDAP, which is new to me), and the GUI. I have managed to entangle myself quite nicely in all this and could really use some pointers.
Thanks in advance
Theo.
PowerBook G4 Mac OS X (10.4.7)1. Starting with a freshly installed OS X Server is recommended, but start no services at first, you need working DNS with reverse zone for the server IP to run OD Master (and other services). If the server domain is to be different from the existing network domain name setup DNS in OS X for the test domain.
2. I'm not sure I understand the question. LDAP/OD can be used on the server to "house" the user accounts but you don't have to bind computers to it.
If you don't use the more advanced possibilities with LDAP/OD I don't think the clients even need to have LDAP configured to be able to authenticate.
hostname.local = hostname and the standard Bonjour domainname .local ?
3a. DNS, so that reverse lookup works for the hostname before setting up OD Master. OD needs a "true" domainname Bonjour isn't sufficient. Setup/use something like mydomain.private.
3b. You don't need to do NAT, you can also route between two subnets (you would need a static route in your Internet router too).
If you want NAT you can use the GW assistant. The interface on the top of the list in Network config (where you can add more/alias interfaces) is the "main" interface used as the "WAN"/"Internet" interface.
4. If the clients are "standalone" (not bound to the OD domain or not using server based homefolders and such) I think you only need LDAP if you want the clients to be able to search for info in OD/LDAP. Not needed for authentication.
You can send out LDAP info with DHCP.
5. If you mean you add/enter users and groups to OD/LDAP directory it just means you can have different servers/clients using a central repository(?) for authentication purposes.
If you add (bind) machines to the domain you can to control what clients can do locally (priviledges), which applications they can run and so forth.
In /etc/smb.conf you can say which interface to use för samba (don't remember what to enter though). And if using the firewall (you must if you want NAT) you can stop Bonjour (mDNS - multicasts) from entering the "old" network if you like/need.
Maybe you are looking for
-
Any help would be awesome. I've closed and reopened the app many times and even restarted the computer. I'm using a MacBook Pro with OS XYosemite.
-
Problem with the Installation of OWB_10.2.0.1.win
Hi, I've downloaded the file OWB_10.2.0.1.win.zip, and extracted this one. So, when i've begun the installation with a double-click on setup file, the result was no response. Sytem : Win XP Pro SP2. The installation for OWB_10.1.0.4.0 is correct. Tha
-
Order confirmation page - include copy of order
Is it possible to include a copy of the customers order on the online order confirmation page? It's a bit sparce at the moment, and a customer has commented that it looks dodgy. I've just tried using the tags from the order conf email but that didn'
-
Problem with bank account od svizzera
Hi I have a problem with the number account of Svizzera that is 66666/1s The character "/" is not good for the program FEBKA00 Can you help me? thanks. Moderator message - Welcome to SCN. But Duplicate threads are not allowed. Please see Please read
-
Adobe reconoce los errores de Illustrator CS2 en Castellano
"Estimado Sr. X, Gracias por su correo lamentablemente en la version de illustrator en español tiene este tipo de problemas nuestros ingenieros trabajan en superar esta deficiencia por el momento la solucion seria cambiarse a la version en ingles. po