SPNego still allowing non Kerberos Logons

Similar Messages

• Certificate signing and excryption - some changes still allowed...

  I am trying to batch certify and encrypt PDFs.  The PDF should only allow the user to print the document; however, after the JS runs the user can still extract pages and copy content; all other permissions are behaving as expected.  Is another property missing that will trigger these misbehaviours to operate properly?
  Also how does one use and read the cLegalAttest property?  I have specificed this property, but I can not find the string in the signature panel.
  Thank you for your help!
  var certPath = "/C/Documents and Settings/rrh/Desktop/Sample/";
  var curDoc = this;
  var proCertPW = curDoc.info.cliId
  var proCertSig = curDoc.info.cliId + ".pfx";
  var proCertFile = curDoc.info.cliId + ".cer";
  var cliCertFile = curDoc.info.cliId + ".cer";
  var solCert = security.importFromFile({cType:"Certificate", cDIPath:certPath + proCertFile});
  var cliCert = security.importFromFile({cType:"Certificate", cDIPath:certPath + cliCertFile});
  var oEntity = [{certificates:cliCert, defaultEncryptCert:proCert}];
  curDoc.encryptForRecipients(
      oGroups:
              userEntities: oEntity,
              permissions:
                  allowAll: false,
                  allowAccessibility: false,
                  allowContentExtraction: false,
                  allowChanges: "none",
                  allowPrinting: "lowQuality"
      bMetaData:true
  // Certify the Document without visible signature
  var f = curDoc.addField({cName:"CertifyDocument", cFieldType:"signature", nPageNum:0, oCoords:[0,0,0,0]});
  f.display = display.hidden;
  var s = {name: "My Company",
           location: "Monte Carlo, Monaco",
           reason: "I created this document specfically for " + curDoc.info.ClientName,
           contactInfo: "[email protected]",
           password: proCertPW,
           mdp: "allowNone" };
  var sh = security.getHandler("Adobe.PPKLite");
  sh.login(proCertPW, certPath + proCertSig);
  sh.signInvisible = true;
  sh.signAuthor = true;
  f.signatureSign(
      oSig: sh,
      oInfo: s,
      bUI: false,
      cLegalAttest:"Do not distribute this document."
  ppklite.logout();

  Do you still have your LC environment setup?
  No...   ran out of time. Where can I find 26-hour days?
  To disable Copy Content and Page Extraction you need to set the MDP
  (Modification Detection and Prevention) properties of you SignatureInfo
  object appropritely and make sure you are using a certificate for
  signing that is allowed to perform document certification and not
  simply document approval.  Set your SignatureInfo.mdp value to
  "allowNone".  This is the same as doing "Certify with Visible
  Signature" from the "Sign & Certify" menu as opposed to simply
  choosing "Sign Document", which will leave copy & extraction
  allowed as well.  When the document is certified, copy & extraction
  are disabled.
  I verified my code, and as far as i can tell, MDP is set properly.  I also tested without the encryption, but content copying (both) and page extraction are still allowed.  I double checked the Digital ID (pfx) that I made with Microsoft Certificate Services (via server); it was only for code signing.  I created a "temporary" digital ID though Acrobat and it has permissions for <all>.  The tickmarks for encryption, signing, etc in security settings were also verified.
  var strcDIPath = curDoc.path.replace(".pdf", "");
  var f = curDoc.addField({cName:"CertifyDocument", cFieldType:"signature", nPageNum:0, oCoords:[0,0,0,0]});
  f.display = display.hidden;
  var sh = security.getHandler("Adobe.PPKLite");
  sh.login(solCertPW, certPath + solCertSig);
  sh.signInvisible = true;
  sh.signAuthor = true;
  var s = {name: "My Company",
           location: "Monte Carlo, Monaco",
           reason: "This document created specfically for " + curDoc.info.preparedFor + ".",
           contactInfo: "[email protected]",
           password: solCertPW,
           mdp: "allowNone"
  f.signatureSign(
      oSig: sh,
      oInfo: s,
      cDIPath: strcDIPath + " (Certified).pdf",
      bUI: false,
      cLegalAttest: "Do not distribute this document."
  sh.logout()
  I was able to get the permissions needed by using P/W secuirty then certifying the document.
  Ok, with cLegalAttest, this also has to do with an MDP certification.
  When you apply an MDP signature to certify the document, it is scanned
  for legal warnings.
  I suppose I have no legal warnings in my document.  Maybe i could use this Godfather reference as a warning (it is work safe)?
  http://www.foreignpolicy.com/images/090419_horse.jpg
  Thank you for all your help and consideration.  I have been using "js_api_reference 8.pdf"; does Adobe have a resource other than this document for PDF security and code?  (I also have "acrobat_reader_security_9x.pdf")

• Allowing non-administrator users to deploy workflows

  I need to allow users who do not have admin group access on the server to deploy workflows. How can I do this? Is there a group to which I add them (_pcastserver didn't work)? Ideally, I would like to enable persons in a few Active Directory groups to deploy workflows, but if they need to be individual user IDs, that's (marginally) acceptable.
  Thanks,
  Charles

  From our Apple Sales Engineer:
  "The closest thing to allowing non-administrators to be able to submit workflows would be to configure users or groups as Podcast Producer administrators only. They would then be able to submit workflows, and however be able to configure Podcast Producer within Server Admin.
  Server Admin --> Server --> Access --> Administrators --> Podcast Producer
  Add a user or group and grant the ability to administer. They will not have the ability to administer the server or escalate to root privileges."
  These users still have access to Administer Podcast Producer with Server Admin though.

• Windows Authentication Kerberos - Logon with different windows user

  I've successfully set up Windows Integrated Authentication/SPNego/Kerberos logon on my portal.  Now when I launch the portal from a workstation I am logged on automatically with my Windows userid without needed to provided userid and password again - very happy!
  When I press logoff the portal returns to the logon screen, sees that I've got a kerberos ticket, and logs me straight back on!  Not happy!
  As an administrator or as a super user, it is sometimes necessary to log on with an administrative userid or to visit an end user and log on as myself on their workstation.  Therefore, I need a mechanism to override the automatic logon and force a basic password prompt screen.
  As I understand it I can achieve this by creating a special iView with its own authscheme which does not use SPNego.  I could either point the logoff redirect url setting to this iView or I could simply enter the quicklink for the iView in the browser.  Will this circumvent the automatic logon and, if so, is there anything special I need to do to achieve this?
  I had hoped to use the standard logon screen as the iView.  I've got that stored in a par file (along with my corporate icons and a link to local help files).  I uploaded the par file through system administration - support - portal runtime - administration console and thought I might be able to see that when I created a portal component iView but it's not visible.  Should it be?

  When I need to logon as a test user, I find it easier to disable the integrated Windows authentication in the browser. You can do that in the menus, but I change the registry. Create two text files (e.g., DisableKerb.reg and EnableKerb.reg)
  Disable.reg:
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "EnableNegotiate"=dword:00000000
  Enable.reg:
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "EnableNegotiate"=dword:00000001
  Then just double-click to change your authentication mechanism.
  Regards,
  Sean

• My classic video ipod won't switch back to regular video mode after using it on an elliptical. The port still allows me to charge and works on the elliptical and treadmill but it will no longer change modes to allow me to watch my shows on the ipod screen

  My classic video ipod won't switch back to regular video mode after using it on an elliptical. The port still allows me to charge and works on the elliptical and treadmill but it will no longer change modes to allow me to watch my shows on the ipod screen

  From the iPod's Main Menu choose Videos -> Settings and make sure TV Out is set to Off.
  Otherwise, try a hard reset as well.  To do this, press and hold both the Select (Center) and Menu buttons together long enough for the Apple logo to appear.
  B-rock

• How do I move from one website to another using Safari, while still allowing Pandora to provide music in the background? It seems that when ever I open a new URL, I lose Pandora.

  How do I move from one website to another using Safari, while still allowing Pandora to provide music in the background? It seems that when ever I open a new URL, I lose Pandora.

  Try running Pandora in its own tab and leaving that tab open (Safari 7.1.5, OS 10.9.5).  I don't have Pandora to try this, but it works for me otherwise.
  Good luck
  srb

• How can I get bookmarks moved to a new laptop when my old broken laptop can no longer launch Firefox but does still allow access to all of the Profile files such as places.sqlite

  My old laptop appears to be a victim of Bit Rot according to an IT person who was here helping me. All of the support material I've seen so far related to moving bookmarks from one computer to another seem to assume that Firefox can be launched on the old computer (which can't be done in my case). I'd like to figure out how to use the files which may hold my extensive bookmark data while the old computer is still allowing me to access those files and save to a removable thumb drive.

  Fortunately I seem to have found and still have access to the old Profile files you're mentioning but I don't know how to make use of them such that Firefox on my new computer can incorporate all the data they hold. Again, I'm not able to open Firefox on the old computer. Any ideas how to use these .sqlite files on the new computer to get myself operable how I had been w. Firefox on the old broken one?

• How do you block your teen from the internet while still allowing them to use the computer for homework?

  My daughter has a mac air that she needs for homework and school documents.  She is however so distracted by her access to all that the internet has to offer that she is forever "doing homework"! How can I block some of her access while still allowing her to actually do homework and use Safari for research?
  Thanks for your help

  Parental Control - found in System Preferences.

• I am trying to set up a child account where websites are restricted unless they are on the approved list, however youtube is still allowed.  How do I block youtube?

  I am trying to set up a child account where websites are restricted unless they are on the approved list, however youtube is still allowed.  How do I block youtube?

  Hello jmkibert,
  Thank you for using Apple Support Communities.
  For more information, take a look at:
  OS X Mavericks: Set up parental controls
  http://support.apple.com/kb/PH14414
  Web > try to limit access to adult websites > customize > never allow these websites.
  Have a nice day,
  Mario

• What is the oldest generation of iPad that will still allow me to run IOS8 and allow for future IOS updates?

  Buying a used iPad... what is the oldest generation of iPad that will still allow me to run IOS8 and allow for future IOS updates?
  Thanks

  An iPad 2 will do it...for awhile. Realize that it's seemingly on it's last legs as far as iOS updates go and performance will not be great enough for today's demanding games. Also realize that a big part of running apps smoothly is how much system RAM (the memory area that the apps actually run in) the device has. The iPad 2 has 512 MB which is adequate for most apps but not for some. The iPads above the iPad 2 all have 1 GB of system RAM and the iPad Air 2 has 2 GB.
  The time will come when the iPad 2 can no longer be updated past a certain iOS version (as the iPad 1 is) so it will be more difficult to keep up with apps that you want to be using. This will eventually happen to ALL devices so you'll have to judge if you want to be at the tail-end of iOS updates or at least have a bigger buffer with a newer iPad.

• PO- Why PO still allow to change after Delivery Completed has ticked.

  Dear All,
  I'm doing functional testing for MM, but i realised that the PO still allow to change after delivery completed has ticked.
  Can i know if there is a way to restrict any change after any good receiving or delivery completed?
  Thank you very much,
  Regards,
  Chee Wee

  Hi,
  Here we have same problem that after tick GR completed system allow to take further receipt though PO is not open.
  we communicate with SAP and there is no function available to close the po for receipt until you reduce PO qty for GRN Qty or loca / delete line item.
  We had write user exit to check tick in PO for GRN allow or not and that give error message.
  You can do same for GRN.
  Regards,
  Chetan Mistry

• I had 4 installtion disk but the last installation disk is missing. I still allow to keep the photoshop , indesign and illustrator software in the computer but i can only keep that on a trial of 30 days. In order to use it permenantly, I have to activate

  I had 4 installation disk but the last installation disk is missing. I still allow to keep the Photoshop , Indesign and illustrator software in the computer but i can only keep that on a trial of 30 days. In order to use it permanently, I have to activate the Suite. As the phone activation service is no longer available. I try the online activation as mention in the phone message when I tried to call, but is not successful@ as it didn't bring to an activation page. What should I do to activate it or solve the problem?

  There should be an option tro activate when you run any of the installed programs.

• Hi, I wish to buy an Adobe Master Collection CS3 (Corporate Edition) from someone in the US and I hope to use it in the UK. Does anyone know if this can be done without any problems, also does Adobe still allow people to register the CS3 Corporate Edition

  Hi, I wish to buy an Adobe Master Collection CS3 (Corporate Edition) from someone in the US and I hope to use it in the UK. Does anyone know if this can be done without any problems, also does Adobe still allow people to register the CS3 Corporate Edition? any help would be greatly appreciated

  The flaw is here:
  corporate edition
  ...which essentially means it's most likely a volume license and thus not transferable in the first place. The rest is as Steve said - buying software on eBay is risky even on the best of days.
  Mylenium

• I currently have Max OS X 10.5.8. What can I upgrade to that will still allow my programs to work (iWork '08 mainly)?

  I currently have Max OS X 10.5.8. What can I upgrade to that will still allow my programs to work (iWork '08 mainly)?

  Choose About this Mac from the Apple menu and check the processor.
  If you're using a PowerPC G4 or G5 Mac, nothing; they can't be upgraded past 10.5.8.
  If you're using an Intel Mac, click here and look the applications up.
  (107998)

• I use Plaxo for my contacts, and I want it to synch my Outlook contacts with my PC.  So I can't use my iCloud contact synch.  My question: How do I disable my iCloud contact synch feature while still allowing the rest of iCloud (music

  I use Plaxo for my contacts, and I want it to synch my Outlook contacts with my PC.  I got a new HP PC with the (awful) Windows 8.0 operating system, and, to say the least, I miss the good old days.   Plaxo customer support tells me that I can't use my iCloud contact synch because they clash. 
  My question: How do I disable my iCloud contact synch feature while still allowing the rest of iCloud (music, photos) to operate as usual.
  What mysterious steps must I take in order to do this and not cause a complete meltdown in the process?  The meltdown that I fear most is the one that happens between my ears.

  Music is nothing to do with iCloud but Photostream is, so turn off Mail, Contacts and Calendars (in the iCloud Control Panel) and leave everything else on.
  You will lose iCloud Calendars and Mail as well as Contacts, but you can manually re-enable mail (if you use iCloud email)