SMTP with STARTTLS and/or Authentication

Hello,
I'm having trouble with an smtp sender.
I tried both setting authentication and/or starttls, but:
- authentication seem not to be issued if normal smtp is selected, even though I see the call on my Authenticator: the smtp server complains about no authentication.
- starttls seem not to be issued, as the SSL packages complains about a non ssl stream:
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]
DEBUG SMTP: useEhlo true, useAuth true
getPasswordAuthentication: ******** / ********
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "sendm.pec.sonicle.com", port 25, isSSL false
DEBUG SMTP: exception reading response: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Her isSSL is false, because I want to use starttls instead of smtps, and the ssl stack complains...as if starttls was not issued.
Session debugging never show commands about starttls nor authentication.
As you can see from the code below, I need a separate Session with its own properties, because I may have more than one relay class running in the same VM, working with different smtp servers and different options.
Notice also that I run a Transport manually, call connect with no arguments, as they will all be found in properties and from the Authenticator.
The class is to be setup its public properties just after instantiation, then call initialize() to setup its session instance.
Then you can call its createMessage(InputStream data) to create a msg from, e.g., an eml file.
Or you can create the MimeMessage yourself, but beware to use the same session as the Relay on creation.
Finally run sendMessage(MimeMessage msg) to send it.
Where is my error?
Here is my code:
import java.io.InputStream;
import java.util.*;
import javax.mail.*;
import javax.mail.internet.*;
* @author gbulfon
public class Relay extends Authenticator {
public String sender;
public String host;
public int port=25;
public String protocol="smtp";
public boolean ssl=false;
public String username;
public String password;
Properties props;
Session session;
public void initialize() {
System.out.println("relay "+host+" uses "+protocol);
props=(Properties)System.getProperties().clone();
props.setProperty("mail."+protocol+".host", host);
props.setProperty("mail."+protocol+".port", ""+port);
if (ssl && protocol.equals("smtp")) {
props.put("mail.smtp.starttls.enable","true");
props.put("mail.smtp.socketFactory.port", port);
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.put("mail.smtp.socketFactory.fallback", "false");
if (username!=null) {
System.out.println("relay "+host+" is authenticated as "+username);
props.setProperty("mail."+protocol+".auth", "true");
session=javax.mail.Session.getInstance(props,this);
session.setDebug(true);
public Session getSession() {
return session;
@Override
protected PasswordAuthentication getPasswordAuthentication() {
System.out.println("getPasswordAuthentication: "+username+" / "+password);
return new PasswordAuthentication(username,password);
public void sendMessage(MimeMessage msg) throws MessagingException {
Transport transport=session.getTransport(protocol);
transport.connect();
transport.sendMessage(msg, msg.getAllRecipients());
transport.close();
public MimeMessage createMessage(InputStream data) throws AddressException, MessagingException {
MimeMessage msg=new MimeMessage(session, data);
return msg;
}

Thanx so much! And sorry for the CODE.......
Anyway I just discovered minutes ago that taking out three lines was going great:
if (ssl && protocol.equals("smtp")) {
            props.put("mail.smtp.starttls.enable","true");
            //props.put("mail.smtp.socketFactory.port", port);
            //props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
            //props.put("mail.smtp.socketFactory.fallback", "false");
}just commented out those 3 lines, now it works ;)))

Similar Messages

  • WLC Flexconnect with AAA and MAC authentication

    hi,
    i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
    my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
    My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
    one more question,
    is it possible to make each AP seperate MAC filters On the WLC.
    thanks
    cyril

    If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
    In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
    Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
    Hope this clears you doubts!!!
    Note: Please do not forget to rate and accept as solution incase the post is valid.

  • OSB 11G - Routing with policy and forwarding authentication headers

    Hi there,
    I'm having problems trying to add authentication to some services developed with OSB 11G.
    One of the requirements is that the services authenticate using the "oracle/wss_username_token_service_policy" policy... So far so good...
    My problem now is that one of the services I'm trying to route messages to needs the same authentication as the OSB router... I've tried everything I found but without any success... The headers aren't being propagated...
    I've found out that the header variable has the Authentication segments so I can remove the routing, add a service callout and add the header variable to it.. But this is kind of a hammered solution...
    Is there any other solution that I'm missing?
    Thanks in advance,
    Best Regards,
    Daniel Alves
    Edited by: 863416 on Sep 18, 2012 9:49 AM

    Hi,
    transporting header setting is described here
    Yuan's SOA Blog: Retrieve and pass around http Authorization header with OSB
    but something is missing, I have to set proxy service Authentication  to Basic. But then OSB authenticate inbound request at local scope and I want to authenticate at called web service level. How to do that?

  • Cisco aironet 1040: create wireless with wpa2 and mac authentication

    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks
    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks

    ap#show configuration
    Using 2085 out of 32768 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid Svez
       authentication open mac-address mac_methods
       authentication key-management wpa version 2
    username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
    username 00907a0f2a55 autocommand exit
    username administrator privilege 15 password 7 033449040A0620425A0D15564F42
    username 0025d3db778b password 7 055B565D74481D0D1B52404A09
    username 0025d3db778b autocommand exit
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    ssid Svez
    antenna gain 0
    station-role root
    world-mode legacy
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    no ip route-cache
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    end
    ap#

  • Problem with EAP and RADIUS

    Hi *,
      I have the following problem with RADIUS and EAP authentication.
    Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
    I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
    What could it be?
    Debug piece and configuration follows:
    *Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS:   4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E  [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS:   2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33  [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS:   67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67        [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.799: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.799: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.799: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:34.831: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:34.831: RADIUS:   32                                               [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS:   10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA  [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS:   F3 7D 73 43 BF BA D0 6A                          [?}sC???j]*Jan 25 14:23:34.835: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.835: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.835: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.835: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS:   46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28  [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS:   E0 18 2B 95 97 C2 0A D7 40 53 FE 62              [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:35.359: RADIUS:   92 DA 5E 26 CF 40 01 22 7A 8E F5 C1              [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:35.359: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:35.359: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:35.359: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS:  authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS:  EAP-Message         [79]  10  *Jan 25 14:23:35.367: RADIUS:   03 01 00 04 00 00 00 00                          [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
    Config:
    aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated !         aaa session-id commonip name-server 192.168.177.45!                dot11 ssid WifiEAP1   vlan 10   authentication open eap eap_methods    authentication shared eap eap_methods   authentication key-management wpa optional   guest-mode!         bridge irb!         interface Dot11Radio0 no ip address no ip route-cache !        encryption vlan 10 mode ciphers aes-ccm tkip wep128 !        broadcast-key vlan 10 change 300 !        ssid WifiEAP1 !        antenna gain 0 station-role root!         interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!         interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache!         interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!         interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
    thanks so much!

    Stefano: not sure if related but there is an unsupported attribute in the debugs:
    Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr:
    *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41
    *Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface
    Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
    You may also chech by removing the shared eap as suggested above. Let us know if this works.
    Sent from Cisco Technical Support iPad App

  • Cisco ISE (1.3) Posture and re-authentication

    Hello,
    With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
    Is there a way to work around this?
    Regards,
    Dennis

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

  • IAS and MAC authentication

    Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
    Any idea how can I solve this problem??
    Thansk

    I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP

  • Anyconnect 3.1 and certificate authentication

    I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).
    Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
    Is this mandatory or is there a way around this?

    Just to add to this.
    Anyconnect 3.1 started KU enforcement, but typically it will drop a warning you can accept (annoying but not blocking).
    EKU, is something that for the time being ASA will not enforce, plus it's only needed to IKEv2/IPsec, AFAIR SSL will work without it unless there have been big changes I'm not aware of.
    One can also argue EKU enforcement will not be strictly speaking enforced in future of IKEv2.
    Vide:
    http://tools.ietf.org/html/rfc4945
    5.1.3.12.  ExtendedKeyUsage
    M.

  • Can we provide UN and pwd Authentication 4r SMTP Mail Configuration

    Dear All,
    Previously we are able to send the mails from SAP to Outside World. After chaning the Mail Server to MS Exchange 2003
    We enabled the Port the 25.
    We are facing a problem While configuring a mail via SMTP for Exchange Server 2003.
    Throws an Error Message:
    Internal error: CL_SMTP_RESPONSE ESMTP error code is not known. 554 554 > : Recipient add
    As per network Team :
    Unless we provide a Username and password, the Send/Receive process does not happen.
    Is there any option in SAP - SMTP Mail Configuration to Provide user and password Authentication.
    I searched in SDN as well as in market place. but i could not succeed. Please guide me the process.
    Regards
    SNB.

    Hi we are configuring Google SMTP getting below error..
    No delivery to xxx.com, authentication required
    Message no. XS856
    Diagnosis
    The message was processed successfully in the SAP system. The mail server that is to receive the message for further processing requires authentication. Probably there is no logon data specified in the SAPconnect configuration.
    Information from external system (if available)
    smtp.gmail.com:587
    530 5.7.0 Must issue a STARTTLS command first. i91sm11178241qgd.25 - gsmtp
    Procedure
    Enter the logon data in the SAPconnect node.
    Using Gmail SMTP server using "smtp.gmail.com" with port 587
    Please advise.
    Regards,
    Sudarshan

  • "Bad Authentication" when pop or smtp with Verizon e-mail using Evolution

    I'm using Evolution 3.2.3 as my e-mail client.
    It's worked with literally every ISP and mail service other than Verizon.
    I followed the instructions on the Verizon support e-mail client setup:
    Incoming mail server (POP3): pop.verizon.net
    Incoming Server Port Numbers: 995
    Outgoing mail server (SMTP): smtp.verizon.net
    Outgoing Server Port Numbers: 465  Why is this important?
    Make sure SSL encryption is enabled for the incoming and outgoing mail server.
    But if I try to receieve or send e-mail I always get a "Bad authentication response from server" error.
    Has anyone ever got Evolution to work with Verizon?
    I searched and it seemed to work up until the year 2013.

    For the sake of example, we are going to pretend that we are setting up fictional account "[email protected]" and the password for logging into that account in webmail is "fakepassword" - Again, this is a fictitious account for the sake of an example.
    The settings for using Verizon's servers would be:
    Incoming Server: pop.verizon.net
    Server Requires Authentication: Yes
    Username: fakeacct
    Password: fakepassword
    Requires a Secure Connection (SSL): Yes
    Port: 995
    Outgoing Server: smtp.verizon.net
    Server Requires Authentication: Yes (You can set it to use the same settings as incoming, or manually enter the username and password.)
    Requires a Secure Connection (SSL): Yes
    Port: 465
    If you are given the option anywhere for Secure Password Authentication (SPA), set it to No, Normal, Plain, etc. - This can also be listed as "Authentication type" in some clients.
    These settings should work unless you have a Verizon/Yahoo account, in which case the server names are: incoming.yahoo.verizon.net -and- outgoing.yahoo.verizon.net
    If all of that is set up and it's still not working, your best bet is to provide a screenshot of your settings (with personal information blocked/removed) and any errors you are getting.
    If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
    "All knowledge is worth having."

  • Need smtp user id and password for mac os..so I can scan to fax with HP laser jet Pro 200 m276

    I'm tring to setup my HP laserjet Pro 200 Color Mfp M276nw to Scan to fax. I'm being promted to  give the SMTP user id and password. I'm usin mac os 10.7.5 Can anyone help me out with this issue?  I called yahoo twice. They never return calls as promised. Thanks, Darrell

    Hi nofear68,
    I understand you've been unable to get the information needed to use the scan to fax feature on your HP laserjet Pro 200 Color Mfp M276nw. If you're using 'Yahoo' as your mail provider, I recommend using the following settings:
    SMTP server address: smtp.mail.yahoo.com
    User name: Your full Yahoo Mail email address (including "@yahoo.com")
    Password: Your Yahoo Mail password
    Port: 465
    TLS/SSL required: yes
    Let me know if this resolves the issue.
    Thank you,
    I worked on behalf of HP.

  • HT2558 I am trying to upload software but each time I am asked to upload a box pops up with install and restart. I press this, the computer restarts and I start all over again. No authentication icon appears.

    I am trying to update software on my macbook pro. From the apple menu, I click "check updates", software is then checked and a list presented of software that I require downloading. I then tick the relevant applications. The blue bar with "install and restart" appears, I press this, the computer goes into restart mode, I login and start all over again.
    i seem to be in a loop! No authentical dialogue box appears for me to enter my name and password.
    Any suggestions please!

    Hi, try a refresh that'll bypass the cache with the Shift key + F5 (or Shift-click on reload) which is the same as clearing your browser cache (Ctrl+F5 for the Internet Exploder). If that doesn't work, then you can try a new firefox [https://support.mozilla.com/en-US/kb/Profiles profile] just to see if it's (your) Firefox-related or maybe an actual problem with the site (maybe starting Firefox in [[Safe Mode]] can be a quicker check).

  • Configuring Basic Authentication with Username and password on BizTalk Schema Service

    Hi,
    I have published my schema as a webservice with WCF-BASICHTTP adapter in IIS 8.0.
    I wanted to have a Basic Authentication(User name and password restriction).
    I made the Receive location with Security mode as Transport and Transport Client Crediential Type as Basic.
    I also set the Service in IIS with Basic Authentication only enabled.
    But I don't know how to provide a UserName and Password Authentication.
    Please provide your suggestions
    Regards, Vignesh S

    Hi,
    Try & go through the below MSDN link as it explains configuring WCF BasicHttp adapter very well.
    http://msdn.microsoft.com/en-us/library/bb246064(v=bts.80).aspx
    HTH,
    Sumit
    Sumit Verma - MCTS BizTalk 2006/2010 - Please indicate "Mark as Answer" or "Mark as Helpful" if this post has answered the question

  • SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

    Hi Experts,
    We have the following requirements:
    1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
    2. ECC6 user-id's differ from Active Directory user.
    3. User logs in to Active Directory.
    4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
    5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
    The following suggested solution was the closest to the requirement (without to much technical detail):
    1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
    This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
    2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
    This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
    Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
    Regards.

    AJP,
    The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
    If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
    Thankyou,
    Tim

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

Maybe you are looking for