SPNego still allowing non Kerberos Logons
After exhaustive searches and attempts, I thought I had the SPNegoLoginModule installed. These are the steps that I have followed.
1. Created a service user in the user directory used by the KDC.
2. Created the keytab file and transferred it to the J2EE server.***Note that I have found that the directions in help.sap.com are different for NW2004 and NW2004s! It seems there is an additional step there. I am running EP6 SPS15 and using NW2004
3. Created krb5.conf
4. Added the 3 lines to the UME.
5. Configured the logon stacks. *** Note and warning, there is a difference between the instructions for NW2004 and NW2004s! Coming from an Environment that never had to deal with this step before, I admit that I was totally lost on my first attempts.
6. Configured ADS data source for Kerberos Authentication.
7. Configured IE for Kerberos Authentication.
I restarted the engine and I was able to log on to the Portal. Victory, NO!
I wanted to test so I undid step 7. I was STILL able to log in. SPNego is not working. Not finding any other docs, I went to the VA and changed the SAP-J2EE-Engine logon module to SPNegoLoginModule. DO NOT DO THIS! The engine comes up, SPNego is still not working and you can no longer get into the VA. I had to manually change the security settings in the configtool just to activate SAP* to undo the damage.
The only thing I can think of that is still letting me log in is that I use MSADS as my LDAP. In configuring the ADS for Kerberos I add the lines of code to the existing code that was used. Is this the correct way to do this?
Anyone see a step that I missed?
Hello David.
I've made the same mistake:
I went to the VA and changed the SAP-J2EE-Engine logon module to SPNegoLoginModule.
So could you tell me, how can I log on to VA now?
Where can I activate SAP*?
I've set the value ume.superadmin.activated = true,
but I still cannot logon to VA.
And could you tell me where do I need to define my
SPNegoLoginModule for correct work of SPNego?
If you have configured SSO using SPNego and
have step by step manual for it, could you send it for me?
Best Regards!
Vitali
[email protected]
Message was edited by: Vitali Chasalau
Similar Messages
-
Certificate signing and excryption - some changes still allowed...
I am trying to batch certify and encrypt PDFs. The PDF should only allow the user to print the document; however, after the JS runs the user can still extract pages and copy content; all other permissions are behaving as expected. Is another property missing that will trigger these misbehaviours to operate properly?
Also how does one use and read the cLegalAttest property? I have specificed this property, but I can not find the string in the signature panel.
Thank you for your help!
var certPath = "/C/Documents and Settings/rrh/Desktop/Sample/";
var curDoc = this;
var proCertPW = curDoc.info.cliId
var proCertSig = curDoc.info.cliId + ".pfx";
var proCertFile = curDoc.info.cliId + ".cer";
var cliCertFile = curDoc.info.cliId + ".cer";
var solCert = security.importFromFile({cType:"Certificate", cDIPath:certPath + proCertFile});
var cliCert = security.importFromFile({cType:"Certificate", cDIPath:certPath + cliCertFile});
var oEntity = [{certificates:cliCert, defaultEncryptCert:proCert}];
curDoc.encryptForRecipients(
oGroups:
userEntities: oEntity,
permissions:
allowAll: false,
allowAccessibility: false,
allowContentExtraction: false,
allowChanges: "none",
allowPrinting: "lowQuality"
bMetaData:true
// Certify the Document without visible signature
var f = curDoc.addField({cName:"CertifyDocument", cFieldType:"signature", nPageNum:0, oCoords:[0,0,0,0]});
f.display = display.hidden;
var s = {name: "My Company",
location: "Monte Carlo, Monaco",
reason: "I created this document specfically for " + curDoc.info.ClientName,
contactInfo: "[email protected]",
password: proCertPW,
mdp: "allowNone" };
var sh = security.getHandler("Adobe.PPKLite");
sh.login(proCertPW, certPath + proCertSig);
sh.signInvisible = true;
sh.signAuthor = true;
f.signatureSign(
oSig: sh,
oInfo: s,
bUI: false,
cLegalAttest:"Do not distribute this document."
ppklite.logout();Do you still have your LC environment setup?
No... ran out of time. Where can I find 26-hour days?
To disable Copy Content and Page Extraction you need to set the MDP
(Modification Detection and Prevention) properties of you SignatureInfo
object appropritely and make sure you are using a certificate for
signing that is allowed to perform document certification and not
simply document approval. Set your SignatureInfo.mdp value to
"allowNone". This is the same as doing "Certify with Visible
Signature" from the "Sign & Certify" menu as opposed to simply
choosing "Sign Document", which will leave copy & extraction
allowed as well. When the document is certified, copy & extraction
are disabled.
I verified my code, and as far as i can tell, MDP is set properly. I also tested without the encryption, but content copying (both) and page extraction are still allowed. I double checked the Digital ID (pfx) that I made with Microsoft Certificate Services (via server); it was only for code signing. I created a "temporary" digital ID though Acrobat and it has permissions for <all>. The tickmarks for encryption, signing, etc in security settings were also verified.
var strcDIPath = curDoc.path.replace(".pdf", "");
var f = curDoc.addField({cName:"CertifyDocument", cFieldType:"signature", nPageNum:0, oCoords:[0,0,0,0]});
f.display = display.hidden;
var sh = security.getHandler("Adobe.PPKLite");
sh.login(solCertPW, certPath + solCertSig);
sh.signInvisible = true;
sh.signAuthor = true;
var s = {name: "My Company",
location: "Monte Carlo, Monaco",
reason: "This document created specfically for " + curDoc.info.preparedFor + ".",
contactInfo: "[email protected]",
password: solCertPW,
mdp: "allowNone"
f.signatureSign(
oSig: sh,
oInfo: s,
cDIPath: strcDIPath + " (Certified).pdf",
bUI: false,
cLegalAttest: "Do not distribute this document."
sh.logout()
I was able to get the permissions needed by using P/W secuirty then certifying the document.
Ok, with cLegalAttest, this also has to do with an MDP certification.
When you apply an MDP signature to certify the document, it is scanned
for legal warnings.
I suppose I have no legal warnings in my document. Maybe i could use this Godfather reference as a warning (it is work safe)?
http://www.foreignpolicy.com/images/090419_horse.jpg
Thank you for all your help and consideration. I have been using "js_api_reference 8.pdf"; does Adobe have a resource other than this document for PDF security and code? (I also have "acrobat_reader_security_9x.pdf") -
Allowing non-administrator users to deploy workflows
I need to allow users who do not have admin group access on the server to deploy workflows. How can I do this? Is there a group to which I add them (_pcastserver didn't work)? Ideally, I would like to enable persons in a few Active Directory groups to deploy workflows, but if they need to be individual user IDs, that's (marginally) acceptable.
Thanks,
CharlesFrom our Apple Sales Engineer:
"The closest thing to allowing non-administrators to be able to submit workflows would be to configure users or groups as Podcast Producer administrators only. They would then be able to submit workflows, and however be able to configure Podcast Producer within Server Admin.
Server Admin --> Server --> Access --> Administrators --> Podcast Producer
Add a user or group and grant the ability to administer. They will not have the ability to administer the server or escalate to root privileges."
These users still have access to Administer Podcast Producer with Server Admin though. -
Windows Authentication Kerberos - Logon with different windows user
I've successfully set up Windows Integrated Authentication/SPNego/Kerberos logon on my portal. Now when I launch the portal from a workstation I am logged on automatically with my Windows userid without needed to provided userid and password again - very happy!
When I press logoff the portal returns to the logon screen, sees that I've got a kerberos ticket, and logs me straight back on! Not happy!
As an administrator or as a super user, it is sometimes necessary to log on with an administrative userid or to visit an end user and log on as myself on their workstation. Therefore, I need a mechanism to override the automatic logon and force a basic password prompt screen.
As I understand it I can achieve this by creating a special iView with its own authscheme which does not use SPNego. I could either point the logoff redirect url setting to this iView or I could simply enter the quicklink for the iView in the browser. Will this circumvent the automatic logon and, if so, is there anything special I need to do to achieve this?
I had hoped to use the standard logon screen as the iView. I've got that stored in a par file (along with my corporate icons and a link to local help files). I uploaded the par file through system administration - support - portal runtime - administration console and thought I might be able to see that when I created a portal component iView but it's not visible. Should it be?When I need to logon as a test user, I find it easier to disable the integrated Windows authentication in the browser. You can do that in the menus, but I change the registry. Create two text files (e.g., DisableKerb.reg and EnableKerb.reg)
Disable.reg:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableNegotiate"=dword:00000000
Enable.reg:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableNegotiate"=dword:00000001
Then just double-click to change your authentication mechanism.
Regards,
Sean -
My classic video ipod won't switch back to regular video mode after using it on an elliptical. The port still allows me to charge and works on the elliptical and treadmill but it will no longer change modes to allow me to watch my shows on the ipod screen
From the iPod's Main Menu choose Videos -> Settings and make sure TV Out is set to Off.
Otherwise, try a hard reset as well. To do this, press and hold both the Select (Center) and Menu buttons together long enough for the Apple logo to appear.
B-rock -
How do I move from one website to another using Safari, while still allowing Pandora to provide music in the background? It seems that when ever I open a new URL, I lose Pandora.
Try running Pandora in its own tab and leaving that tab open (Safari 7.1.5, OS 10.9.5). I don't have Pandora to try this, but it works for me otherwise.
Good luck
srb -
My old laptop appears to be a victim of Bit Rot according to an IT person who was here helping me. All of the support material I've seen so far related to moving bookmarks from one computer to another seem to assume that Firefox can be launched on the old computer (which can't be done in my case). I'd like to figure out how to use the files which may hold my extensive bookmark data while the old computer is still allowing me to access those files and save to a removable thumb drive.
Fortunately I seem to have found and still have access to the old Profile files you're mentioning but I don't know how to make use of them such that Firefox on my new computer can incorporate all the data they hold. Again, I'm not able to open Firefox on the old computer. Any ideas how to use these .sqlite files on the new computer to get myself operable how I had been w. Firefox on the old broken one?
-
My daughter has a mac air that she needs for homework and school documents. She is however so distracted by her access to all that the internet has to offer that she is forever "doing homework"! How can I block some of her access while still allowing her to actually do homework and use Safari for research?
Thanks for your helpParental Control - found in System Preferences.
-
I am trying to set up a child account where websites are restricted unless they are on the approved list, however youtube is still allowed. How do I block youtube?
Hello jmkibert,
Thank you for using Apple Support Communities.
For more information, take a look at:
OS X Mavericks: Set up parental controls
http://support.apple.com/kb/PH14414
Web > try to limit access to adult websites > customize > never allow these websites.
Have a nice day,
Mario -
Buying a used iPad... what is the oldest generation of iPad that will still allow me to run IOS8 and allow for future IOS updates?
ThanksAn iPad 2 will do it...for awhile. Realize that it's seemingly on it's last legs as far as iOS updates go and performance will not be great enough for today's demanding games. Also realize that a big part of running apps smoothly is how much system RAM (the memory area that the apps actually run in) the device has. The iPad 2 has 512 MB which is adequate for most apps but not for some. The iPads above the iPad 2 all have 1 GB of system RAM and the iPad Air 2 has 2 GB.
The time will come when the iPad 2 can no longer be updated past a certain iOS version (as the iPad 1 is) so it will be more difficult to keep up with apps that you want to be using. This will eventually happen to ALL devices so you'll have to judge if you want to be at the tail-end of iOS updates or at least have a bigger buffer with a newer iPad. -
PO- Why PO still allow to change after Delivery Completed has ticked.
Dear All,
I'm doing functional testing for MM, but i realised that the PO still allow to change after delivery completed has ticked.
Can i know if there is a way to restrict any change after any good receiving or delivery completed?
Thank you very much,
Regards,
Chee WeeHi,
Here we have same problem that after tick GR completed system allow to take further receipt though PO is not open.
we communicate with SAP and there is no function available to close the po for receipt until you reduce PO qty for GRN Qty or loca / delete line item.
We had write user exit to check tick in PO for GRN allow or not and that give error message.
You can do same for GRN.
Regards,
Chetan Mistry -
I had 4 installation disk but the last installation disk is missing. I still allow to keep the Photoshop , Indesign and illustrator software in the computer but i can only keep that on a trial of 30 days. In order to use it permanently, I have to activate the Suite. As the phone activation service is no longer available. I try the online activation as mention in the phone message when I tried to call, but is not successful@ as it didn't bring to an activation page. What should I do to activate it or solve the problem?
There should be an option tro activate when you run any of the installed programs.
-
Hi, I wish to buy an Adobe Master Collection CS3 (Corporate Edition) from someone in the US and I hope to use it in the UK. Does anyone know if this can be done without any problems, also does Adobe still allow people to register the CS3 Corporate Edition? any help would be greatly appreciated
The flaw is here:
corporate edition
...which essentially means it's most likely a volume license and thus not transferable in the first place. The rest is as Steve said - buying software on eBay is risky even on the best of days.
Mylenium -
I currently have Max OS X 10.5.8. What can I upgrade to that will still allow my programs to work (iWork '08 mainly)?
Choose About this Mac from the Apple menu and check the processor.
If you're using a PowerPC G4 or G5 Mac, nothing; they can't be upgraded past 10.5.8.
If you're using an Intel Mac, click here and look the applications up.
(107998) -
I use Plaxo for my contacts, and I want it to synch my Outlook contacts with my PC. I got a new HP PC with the (awful) Windows 8.0 operating system, and, to say the least, I miss the good old days. Plaxo customer support tells me that I can't use my iCloud contact synch because they clash.
My question: How do I disable my iCloud contact synch feature while still allowing the rest of iCloud (music, photos) to operate as usual.
What mysterious steps must I take in order to do this and not cause a complete meltdown in the process? The meltdown that I fear most is the one that happens between my ears.Music is nothing to do with iCloud but Photostream is, so turn off Mail, Contacts and Calendars (in the iCloud Control Panel) and leave everything else on.
You will lose iCloud Calendars and Mail as well as Contacts, but you can manually re-enable mail (if you use iCloud email)
Maybe you are looking for
-
Reg : SQL query or Function -
Hi Experts, I'm in a fix between 2 approaches. Scenario : There are 2 tables say LIT (contains Literature docs) and DIAG (contains Diagams). There's some concept called 'Base number' and 'Revision' for both the tables. Ex - If Literature (or Diagram)
-
Why exp fail and what other method I should use
Hi Everybody, I plan to "copy" data from a table partition of a transactional database to a remote historical database table,both of the source and destination tables are partitioned in the same way In the source 9i database, I do the exp using below
-
Oracle BPM 11g workspace: how to add a link to an external ADF app?
Hi all, I have a process for which all the data is persisted in the db, and for Human tasks, I use ADFBC component. For an existing instance, I would like to provide a link access (available from the workspace) to users (with right privileges) to be
-
HT5639 how do you uninstall boot camp partion after a failed install of windows 7
I cannot remove a boot camp partition after a failed attempt to install windows 7 64 bit
-
It always Bootcamp asistent 4 doesn't recognize Windows 7 Home Premium install disc
Hi there, I've search half a day for answers in already existing threads but haven't found a solution, so now I dare ask this question. I have a Imac Mac OSX 10.7.5 Processor 2,7 Ghz Intel Core i5 Memory RAM 4GB 1333 MHs DDR3 I want to install with B