SMTP with STARTTLS and/or Authentication
Hello,
I'm having trouble with an smtp sender.
I tried both setting authentication and/or starttls, but:
- authentication seem not to be issued if normal smtp is selected, even though I see the call on my Authenticator: the smtp server complains about no authentication.
- starttls seem not to be issued, as the SSL packages complains about a non ssl stream:
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]
DEBUG SMTP: useEhlo true, useAuth true
getPasswordAuthentication: ******** / ********
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "sendm.pec.sonicle.com", port 25, isSSL false
DEBUG SMTP: exception reading response: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Her isSSL is false, because I want to use starttls instead of smtps, and the ssl stack complains...as if starttls was not issued.
Session debugging never show commands about starttls nor authentication.
As you can see from the code below, I need a separate Session with its own properties, because I may have more than one relay class running in the same VM, working with different smtp servers and different options.
Notice also that I run a Transport manually, call connect with no arguments, as they will all be found in properties and from the Authenticator.
The class is to be setup its public properties just after instantiation, then call initialize() to setup its session instance.
Then you can call its createMessage(InputStream data) to create a msg from, e.g., an eml file.
Or you can create the MimeMessage yourself, but beware to use the same session as the Relay on creation.
Finally run sendMessage(MimeMessage msg) to send it.
Where is my error?
Here is my code:
import java.io.InputStream;
import java.util.*;
import javax.mail.*;
import javax.mail.internet.*;
* @author gbulfon
public class Relay extends Authenticator {
public String sender;
public String host;
public int port=25;
public String protocol="smtp";
public boolean ssl=false;
public String username;
public String password;
Properties props;
Session session;
public void initialize() {
System.out.println("relay "+host+" uses "+protocol);
props=(Properties)System.getProperties().clone();
props.setProperty("mail."+protocol+".host", host);
props.setProperty("mail."+protocol+".port", ""+port);
if (ssl && protocol.equals("smtp")) {
props.put("mail.smtp.starttls.enable","true");
props.put("mail.smtp.socketFactory.port", port);
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.put("mail.smtp.socketFactory.fallback", "false");
if (username!=null) {
System.out.println("relay "+host+" is authenticated as "+username);
props.setProperty("mail."+protocol+".auth", "true");
session=javax.mail.Session.getInstance(props,this);
session.setDebug(true);
public Session getSession() {
return session;
@Override
protected PasswordAuthentication getPasswordAuthentication() {
System.out.println("getPasswordAuthentication: "+username+" / "+password);
return new PasswordAuthentication(username,password);
public void sendMessage(MimeMessage msg) throws MessagingException {
Transport transport=session.getTransport(protocol);
transport.connect();
transport.sendMessage(msg, msg.getAllRecipients());
transport.close();
public MimeMessage createMessage(InputStream data) throws AddressException, MessagingException {
MimeMessage msg=new MimeMessage(session, data);
return msg;
}
Thanx so much! And sorry for the CODE.......
Anyway I just discovered minutes ago that taking out three lines was going great:
if (ssl && protocol.equals("smtp")) {
props.put("mail.smtp.starttls.enable","true");
//props.put("mail.smtp.socketFactory.port", port);
//props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
//props.put("mail.smtp.socketFactory.fallback", "false");
}just commented out those 3 lines, now it works ;)))
Similar Messages
-
WLC Flexconnect with AAA and MAC authentication
hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyrilIf you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid. -
OSB 11G - Routing with policy and forwarding authentication headers
Hi there,
I'm having problems trying to add authentication to some services developed with OSB 11G.
One of the requirements is that the services authenticate using the "oracle/wss_username_token_service_policy" policy... So far so good...
My problem now is that one of the services I'm trying to route messages to needs the same authentication as the OSB router... I've tried everything I found but without any success... The headers aren't being propagated...
I've found out that the header variable has the Authentication segments so I can remove the routing, add a service callout and add the header variable to it.. But this is kind of a hammered solution...
Is there any other solution that I'm missing?
Thanks in advance,
Best Regards,
Daniel Alves
Edited by: 863416 on Sep 18, 2012 9:49 AMHi,
transporting header setting is described here
Yuan's SOA Blog: Retrieve and pass around http Authorization header with OSB
but something is missing, I have to set proxy service Authentication to Basic. But then OSB authenticate inbound request at local scope and I want to authenticate at called web service level. How to do that? -
Cisco aironet 1040: create wireless with wpa2 and mac authentication
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanksap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
Hi *,
I have the following problem with RADIUS and EAP authentication.
Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
What could it be?
Debug piece and configuration follows:
*Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS: 4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS: 2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33 [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS: 67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67 [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:34.799: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:34.799: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:34.799: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS: AAA Unsupported Attr: ssid [265] 8 *Jan 25 14:23:34.831: RADIUS: 57 69 66 69 45 41 [WifiEA]*Jan 25 14:23:34.831: RADIUS: AAA Unsupported Attr: interface [157] 3 *Jan 25 14:23:34.831: RADIUS: 32 [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS: 10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS: F3 7D 73 43 BF BA D0 6A [?}sC???j]*Jan 25 14:23:34.835: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:34.835: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:34.835: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:34.835: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS: 46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28 [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS: E0 18 2B 95 97 C2 0A D7 40 53 FE 62 [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: ssid [265] 8 *Jan 25 14:23:35.355: RADIUS: 57 69 66 69 45 41 [WifiEA]*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: interface [157] 3 *Jan 25 14:23:35.359: RADIUS: 92 DA 5E 26 CF 40 01 22 7A 8E F5 C1 [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:35.359: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:35.359: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:35.359: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS: authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS: EAP-Message [79] 10 *Jan 25 14:23:35.367: RADIUS: 03 01 00 04 00 00 00 00 [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
Config:
aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated ! aaa session-id commonip name-server 192.168.177.45! dot11 ssid WifiEAP1 vlan 10 authentication open eap eap_methods authentication shared eap eap_methods authentication key-management wpa optional guest-mode! bridge irb! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 10 mode ciphers aes-ccm tkip wep128 ! broadcast-key vlan 10 change 300 ! ssid WifiEAP1 ! antenna gain 0 station-role root! interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled! interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache! interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled! interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
thanks so much!Stefano: not sure if related but there is an unsupported attribute in the debugs:
Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr:
*Jan 25 14:23:35.355: RADIUS: 57 69 66 69 45 41
*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: interface
Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
You may also chech by removing the shared eap as suggested above. Let us know if this works.
Sent from Cisco Technical Support iPad App -
Cisco ISE (1.3) Posture and re-authentication
Hello,
With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
Is there a way to work around this?
Regards,
Dennis24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
Any idea how can I solve this problem??
ThanskI think MAC authentication is not supported in IAS , you can do MAC address filtering on AP
-
Anyconnect 3.1 and certificate authentication
I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).
Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
Is this mandatory or is there a way around this?Just to add to this.
Anyconnect 3.1 started KU enforcement, but typically it will drop a warning you can accept (annoying but not blocking).
EKU, is something that for the time being ASA will not enforce, plus it's only needed to IKEv2/IPsec, AFAIR SSL will work without it unless there have been big changes I'm not aware of.
One can also argue EKU enforcement will not be strictly speaking enforced in future of IKEv2.
Vide:
http://tools.ietf.org/html/rfc4945
5.1.3.12. ExtendedKeyUsage
M. -
Can we provide UN and pwd Authentication 4r SMTP Mail Configuration
Dear All,
Previously we are able to send the mails from SAP to Outside World. After chaning the Mail Server to MS Exchange 2003
We enabled the Port the 25.
We are facing a problem While configuring a mail via SMTP for Exchange Server 2003.
Throws an Error Message:
Internal error: CL_SMTP_RESPONSE ESMTP error code is not known. 554 554 > : Recipient add
As per network Team :
Unless we provide a Username and password, the Send/Receive process does not happen.
Is there any option in SAP - SMTP Mail Configuration to Provide user and password Authentication.
I searched in SDN as well as in market place. but i could not succeed. Please guide me the process.
Regards
SNB.Hi we are configuring Google SMTP getting below error..
No delivery to xxx.com, authentication required
Message no. XS856
Diagnosis
The message was processed successfully in the SAP system. The mail server that is to receive the message for further processing requires authentication. Probably there is no logon data specified in the SAPconnect configuration.
Information from external system (if available)
smtp.gmail.com:587
530 5.7.0 Must issue a STARTTLS command first. i91sm11178241qgd.25 - gsmtp
Procedure
Enter the logon data in the SAPconnect node.
Using Gmail SMTP server using "smtp.gmail.com" with port 587
Please advise.
Regards,
Sudarshan -
"Bad Authentication" when pop or smtp with Verizon e-mail using Evolution
I'm using Evolution 3.2.3 as my e-mail client.
It's worked with literally every ISP and mail service other than Verizon.
I followed the instructions on the Verizon support e-mail client setup:
Incoming mail server (POP3): pop.verizon.net
Incoming Server Port Numbers: 995
Outgoing mail server (SMTP): smtp.verizon.net
Outgoing Server Port Numbers: 465 Why is this important?
Make sure SSL encryption is enabled for the incoming and outgoing mail server.
But if I try to receieve or send e-mail I always get a "Bad authentication response from server" error.
Has anyone ever got Evolution to work with Verizon?
I searched and it seemed to work up until the year 2013.For the sake of example, we are going to pretend that we are setting up fictional account "[email protected]" and the password for logging into that account in webmail is "fakepassword" - Again, this is a fictitious account for the sake of an example.
The settings for using Verizon's servers would be:
Incoming Server: pop.verizon.net
Server Requires Authentication: Yes
Username: fakeacct
Password: fakepassword
Requires a Secure Connection (SSL): Yes
Port: 995
Outgoing Server: smtp.verizon.net
Server Requires Authentication: Yes (You can set it to use the same settings as incoming, or manually enter the username and password.)
Requires a Secure Connection (SSL): Yes
Port: 465
If you are given the option anywhere for Secure Password Authentication (SPA), set it to No, Normal, Plain, etc. - This can also be listed as "Authentication type" in some clients.
These settings should work unless you have a Verizon/Yahoo account, in which case the server names are: incoming.yahoo.verizon.net -and- outgoing.yahoo.verizon.net
If all of that is set up and it's still not working, your best bet is to provide a screenshot of your settings (with personal information blocked/removed) and any errors you are getting.
If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
"All knowledge is worth having." -
I'm tring to setup my HP laserjet Pro 200 Color Mfp M276nw to Scan to fax. I'm being promted to give the SMTP user id and password. I'm usin mac os 10.7.5 Can anyone help me out with this issue? I called yahoo twice. They never return calls as promised. Thanks, Darrell
Hi nofear68,
I understand you've been unable to get the information needed to use the scan to fax feature on your HP laserjet Pro 200 Color Mfp M276nw. If you're using 'Yahoo' as your mail provider, I recommend using the following settings:
SMTP server address: smtp.mail.yahoo.com
User name: Your full Yahoo Mail email address (including "@yahoo.com")
Password: Your Yahoo Mail password
Port: 465
TLS/SSL required: yes
Let me know if this resolves the issue.
Thank you,
I worked on behalf of HP. -
I am trying to update software on my macbook pro. From the apple menu, I click "check updates", software is then checked and a list presented of software that I require downloading. I then tick the relevant applications. The blue bar with "install and restart" appears, I press this, the computer goes into restart mode, I login and start all over again.
i seem to be in a loop! No authentical dialogue box appears for me to enter my name and password.
Any suggestions please!Hi, try a refresh that'll bypass the cache with the Shift key + F5 (or Shift-click on reload) which is the same as clearing your browser cache (Ctrl+F5 for the Internet Exploder). If that doesn't work, then you can try a new firefox [https://support.mozilla.com/en-US/kb/Profiles profile] just to see if it's (your) Firefox-related or maybe an actual problem with the site (maybe starting Firefox in [[Safe Mode]] can be a quicker check).
-
Configuring Basic Authentication with Username and password on BizTalk Schema Service
Hi,
I have published my schema as a webservice with WCF-BASICHTTP adapter in IIS 8.0.
I wanted to have a Basic Authentication(User name and password restriction).
I made the Receive location with Security mode as Transport and Transport Client Crediential Type as Basic.
I also set the Service in IIS with Basic Authentication only enabled.
But I don't know how to provide a UserName and Password Authentication.
Please provide your suggestions
Regards, Vignesh SHi,
Try & go through the below MSDN link as it explains configuring WCF BasicHttp adapter very well.
http://msdn.microsoft.com/en-us/library/bb246064(v=bts.80).aspx
HTH,
Sumit
Sumit Verma - MCTS BizTalk 2006/2010 - Please indicate "Mark as Answer" or "Mark as Helpful" if this post has answered the question -
SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt
Hi Experts,
We have the following requirements:
1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).
2. ECC6 user-id's differ from Active Directory user.
3. User logs in to Active Directory.
4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.
5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.
The following suggested solution was the closest to the requirement (without to much technical detail):
1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.
This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.
2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.
This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.
Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).
Regards.AJP,
The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.
If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.
Thankyou,
Tim -
Hi!
I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
This is the goal:
On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
"Certificate Dictionary:Common Name contains .admin.testdomain.lan"
But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
Thank you.Hello again.
I found out how to do this now..
What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
You must also remember to change the AuthMode option in Windows XP Registry to "1".
What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
That would have plugged a few security holes for me.
Maybe you are looking for
-
How do I move contacts from one iphone to another iphone?
I was trying to set up my settings on my iphone after doing so all my contacts disappeared. I have my old iphone. Is it possible to transfer my contacts from my old iphone to my new one? If so, how?
-
Can't save illustrator documents
iMac 3.6 GHz Intel Core i5 OS X 10.9.4 Whenever I try and save a document just recently, I get this message "Can't save the illustration. You do not have enough access privileges. ID: -5000" HELP
-
please help me use my ipod touch. i just got it and im a little confused on how to use it. it keeps asking for a wifi connection even while im logged in on itunes
-
Help! My iMac doesn't see the hard disk!
My old, reliable iMac (the old sunflower flat panel) suddenly froze up and when I did a hard break and restarted it, the dreaded folder with a question mark appeared. I tried starting it from an installation disk--which it did with no problems except
-
How do I update iMessage on my macbook pro?
So I've had my iMessage turned off for a while because I was just getting it serviced and didn't want to risk whomever was looking at my macbook getting bombarded with random messages here and there, and I just turned it on. It's all fine and dandy a