SSO Authentication Not Working

Similar Messages

• NTLM SSO is not working using IIS

  Hi,
  We have unable to login to the infoview using SSO getting u201C page canu2019t found u201C error.
  1. We can  login to the infoview using AD authentication when tomcat as the application server but we are  unable to login to the infoview using SSO when IIS as the application server.
  2. If we select  the option called u201Cintegrated windows Authenticationu201D under internet options then the  SSO is not working and if we  uncheck the u201Cintegrated windows Authenticationu201D in the internet options then we are  able to login to the infoview using SSO.We are  able to login to the infoview using SSO on another environments and the working and problematic environments we  Configured IIS6, XI2 SP4.
  4.We tried to login to the infoview using http://servername instead of entire URL however we are getting error.
  5.We restarted IIS but no use.
  6.Our admin follow the below options-
  Open a registry editor, such as Regedit.exe or Regedt32.exe.
  Navigate to:
  HKLM\System\CurrentControlSet\Services\HTTP\Parameters
  Right-click Parameters, select New | DWORD value, and then name the value MaxFieldLength.
  Right-click Parameters, select New | DWORD value, and then name the value MaxRequestBytes.
  In the right pane, double-click MaxFieldLength, and then set its value to 32768 (decimal).
  In the right pane, double-click MaxRequestBytes, and then set its value to 32768 (decimal).
  Close the registry editor and restart the IIS Admin service for the change to take effect.
  But we are getting same problem.
  7.We  tried  to login to the infoview using http://localhost but issue still persists.
  8.We installed jakarta redirector.Is this root cause of this issue?
  9.We selected  intigrated windows authentication under default websites and i am sure i gave all the options under internet information  manager.
  Any one please help on this.
  My environment is-
  BOXIR2 SP4,
  NTLM SSO,
  Windows 2003,
  IIS6.

  "We tried to login to the infoview using http://servername instead of entire URL however we are getting error"
  What's the error using the hostname for SSO with integrated windows authentication enabled on only the infoview virtual directory?
  Regards,
  Tim

• SSO is not working for an Alias URL but is working for original portal URL

  Hello,
  We have a BSP running inside the portal and expects authentication.
  When I run this BSP using the portal regular address everything is working OK and SSO is working after logging into the portal.
  At next step, we have configured an alias for the portal URL at the DNS Server.
  When activating the BSP from the alias URL it asks for 2nd authentication. Meaning, SSO is not working after logging into the portal.
  I have activated an HTTP trace in order to see why and it seems like when running it from the alias name it recognizes it as a different domain and I assume this is why the authentication is coming up.
  I would like to suppress this for the alias URL but don't know how.
  I found this UME property on the server:ume.logon.security.relax_domain.level
  This UME property controls the amount of sub domains to remove from the server name to obtain the domain for which the logon ticket is valid.
  I have changed this property from its default value 1 to 3 (and restarted the server of course) which, in our case, leaves only ourCompany.com for the ticket in the original server URL. Yet, the authentication pop up is still not supressed when browsing through the alias URL.
  Any idea what can I do next?
  Thanks,
  Roy

  Hi Dezso,
  I found the 401 let me know if I look on it right:
  I have an entry node with two subnodes: request and response.
  The response has:
  <responseStatus>HTTP/1.1 401 Unauthorized</responseStatus>
  And the request before that doesn't have any MYSAPSSO2 in it, all it has which is related to cookies is this:
  <header name="Cookie">UserUniqueIdentifier=1174345919524; alreadyLogged=1179560552416</header>
  <cookies>
  <cookie name="alreadyLogged">1179560552416</cookie>
  <cookie name="UserUniqueIdentifier">1174345919524</cookie>
  </cookies>
  Can you advice what to do next?

• [svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

  Revision: 1720
  Author: [email protected]
  Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
  Log Message:
  Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
  QA: Yes
  Doc: No
  Details:
  Update to the TomcatLoginCommand to work correctly with NIO endpoints.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/LCDS-304
  Modified Paths:
  blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

  Revision: 1720
  Author: [email protected]
  Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
  Log Message:
  Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
  QA: Yes
  Doc: No
  Details:
  Update to the TomcatLoginCommand to work correctly with NIO endpoints.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/LCDS-304
  Modified Paths:
  blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

• SSO does not work

  Hi...
  I'm trying to use SSO between portal (jCo, webdynpro...) and ABAP System...
  I follow "Single Sign-On in a Complex System Landscape" tutorial, but when I try to test any jCo connection, this error appears to me:
  com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: Failed to enrich connection properties
  And following logs, I can see this error:
  Cannot provide X.509 certificate of user "Silva, Jose" (unique ID: "USER.PRIVATE_DATASOURCE.un:123456") because of an unexpected UME internal problem. (Backend system: "UMESystemLandscapeDummy")
  [EXCEPTION]
  com.sap.security.api.umap.NoLogonDataAvailableException: This user does not have a certificate.
  at com.sap.security.core.umap.imp.UserMappingDataImp.enrich(UserMappingDataImp.java:412)
  at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.createPool(AbstractJCOClientConnection.java:346)
  at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.checkPoolEntry(AbstractJCOClientConnection.java:296)
  at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.getClient(AbstractJCOClientConnection.java:396)
  at com.sap.tc.webdynpro.tools.explorer.JCOConnectionsDetails.onActionTestConnection(JCOConnectionsDetails.java:229)
  at com.sap.tc.webdynpro.tools.explorer.wdp.InternalJCOConnectionsDetails.wdInvokeEventHandler(InternalJCOConnectionsDetails.java:303)
  at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87)
  at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132)
  at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
  at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:313)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  I don't know what to do...
  My portal certificate has a problem, or is my abap certificate?
  Thanx...
  (sorry for my poor english)

  Hi,
  If you are working with JCO's please make sure that SSO will not work for metadata jco creation.
  use the UID PWD method as part of metadata jco creation.
  it will work fine
  this messege as per my knowledge, may be helpfull for you

• SSO logout not working properly (cookie remains set)

  Hi, I've just implemented single sign-on authentication for my APEX 2.2 applications with help of these two howtos:
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html#INSTALL
  http://becomeappsdba.blogspot.com/2007/01/apex-apps-configure-sso-ii.html
  It quite works smoothly, e.g. for pages that require authentication the user is redirected
  ("Redirecting to the Login Server for authentication...") to the SSO server (another machine, a part of Oracle Collaboration Suite infrastructure). There on the login screen, the user enters the credentials and after submit (if the credentials are OK) is redirected back to the APEX application as an authenticated user.
  When the user clicks "Logout", the application redirects him (her) to the page specified in the "Logout URL" attribute of the SSO authentication scheme and the displayed username changes to "nobody". So far so good.
  However, the problem is that the user is in fact not logged out. On a subsequent attempt to get to an authenticated page within the same browser window the application displays for a short while "Redirecting to the Login Server for authentication..." but it doesn't really get the user to the SSO logon screen to enter username and password and instead it redirects him (her) directly to the required page as the previously authenticated user (the user who clicked the "Logout" sign). The only workaround is to close the browser window and start over again as the other user, which is not very convenient nor secure. It seems that despite the seeming logout the cookie remains set and I don't how to force the application to get rid of the cookie upon logout.
  Has anybody faced this behaviour and has some assistance for me?
  Thanks in advance.
  Zdenek

  Scott,
  thank you very much for your prompt explanation and pointing to the right thread. There, I was able to quickly find what I was looking for - the logout URL:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGE
  Having that, it took me just 5 minutes to adopt it to my conditions (change machine names & page number), paste it to the SSO authentication scheme's logout URL field and sucessfully test it.
  To summarize for others in need, these are relevant links to this topic:
  Re: Partner Application in SSO logout does'nt synchronize
  SSO authentication
  Logout URL for 9iAS SSO Partner App
  Thanks again & appologies for asking this question without preceding proper searching for answer in this excelent & useful forum.
  Zdenek

• Safari 5.0.3 on Windows XP Kerberos SSO does not work

  Our web application runs on JBoss Server 5 supports Kerberos v5 SSO. We have tested it against Firefox, IE, and Google Chrome, and they all works well.
  But Safari 5.0.3 does not work.
  Our application sends "WWW-Authenticate: Negotiate" to Safari. Safari always pops up a dialog for name and password. After I typed the name and password, and click Login, Safari send NTLM message (NTLMSSP_NEGOTIATE) to the web application, and login failed.
  Someone described that Safari supports Kerberos authentication without any additional configuration.
  I do not know what goes wrong with my environment and how to solve this issue. Your help is appreciated.
  My Safari 5.0.3 runs on Windows XP Professional Service Pack 3.
  Thanks
  Guofeng

  I'm having the same issue. Have you been able to resolve it?

• Kerberos Authentication Not Working on OS X 10.6

  Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
  On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
  I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
  When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
  Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
  Thanks for any help,
  Richard

  Found the solution:
  Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
  We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
  Main problem was the kinit thing though.

• SSO is not working for SAPGUI for HTML

  Hi Experts,
  We have configured SSO between EP and ECC.SSO is working fine for SAPGUI for windows.But it is not working for SAPGUI for HTML.
  Workflow iViews are getting error.
  "SWITCH to HTTPS does not occur."
  The domain names are different for EP and ECC.
  Please let me know ,is there any settings need to check.
  Regards,
  Bala.

  Hi
  The point here is that your Portal server is on a different domain, so you have to configure the logon ticket issuer (portal) to generate logon ticket for multiple domains.
  http://help.sap.com/saphelp_nw04s/helpdata/en/a0/88a340fa432b54e10000000a1550b0/frameset.htm
  Best regards
  Johann

• Ldap authentication not working for Solaris 8 host - Help!

  Greetings folks,
  I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
  Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
  ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
  My /etc/nsswitch.conf looks like this:
  passwd: files ldap
  group: files ldap
  My /etc/pam.conf looks like this:
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth sufficient pam_unix_auth.so.1
  login auth required pam_ldap.so.1
  sshd auth requisite pam_authtok_get.so.1
  sshd auth sufficient pam_unix_auth.so.1
  sshd auth required pam_ldap.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth sufficient pam_unix_auth.so.1
  other auth required pam_ldap.so.1
  passwd auth sufficient pam_passwd_auth.so.1
  passwd auth required pam_ldap.so.1
  I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
  hostname# getent passwd user1
  user1::1001:1001:User 1:/opt/home/user1:/bin/bash
  hostname# ldaplist -l passwd user1
  dn: uid=user1,ou=people,dc=mydomain,dc=com
  shadowFlag: 0
  userPassword: {crypt}(removed)
  uid: user1
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: account
  objectClass: top
  cn: user1
  uidNumber: 1001
  gidNumber: 1001
  gecos: User 1
  homeDirectory: /opt/home/user1
  loginShell: /bin/bash
  However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
  Any ideas?
  Thanks!
  Patrick

  I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
  1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
  2) Did you test and verify telnet/ftp/su working? but SSH not working?
  3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
  4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
  5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
  6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
  7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
  http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
  Gary

• WLC 8500 SSO HA not working

  Hi there,
  We're running AireOS 8.0 in a  WLC 8500 series and we're getting problems trying to enable HA scenario. These are the scenarios we have tested:
  management interface tagged + switchport trunk tagged + HA tagged + switchport trunk tagged = SSO not working
  management interface tagged + switchport trunk tagged + HA tagged + switchport access = SSO not working
  management interface untagged + switchport trunk native vlan + HA untagged + switchport access = SSO not working
  No scenario is working and in cases 1 and 2 we are lossing the associated APs and we only recover them in case 3.
  In parallel, after enabling tagged interface in management, the "show ip arp" of the switch shows the IP through the HA interface and the ping is lost outwards WLC and inwards.
  Any suggestion?
  Regards.

  Try to delete the config on  switch and try this.
  Switch config :
  interface range <>
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan X,Y,Z
  Channel-group <> mode on
  Still not working then check if WLC is reachable via ssh or telnet!
  if you have access via ash or telnet then reboot WLC by using "reset system" command .
  hope it helps.
  Regards
  Dont forget to rate helpful posts

• Sg300 - 802.1x NPS - mac authentication not working

  I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
  Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
  My current port configuration on the SG300:
  interface fastethernet1
   dot1x guest-vlan enable
   dot1x max-req 1
   dot1x reauthentication
   dot1x timeout quiet-period 10
   dot1x authentication 802.1x mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode access
  On the Windows NPS server there is following error to see:
  Authentication Details:
      Connection Request Policy Name:    Secure Wire
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        myradius.local
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        30353030399999
      Reason Code:            1
      Reason:                An internal error occurred. Check the system event log for additional information.
  There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

  Still not working.
  I tried different settings and (also older) software versions on the SF302-08P.
  Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
  The NPS reports following error:
  Schannel:
  The following fatal alert was received: 40.
  EventID 36887
  If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
  ... is this a bug on the SF302-08P?

• Cisco Ise Central Web authentication not working

  Hello Guys,
  CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
  What might be the possible problem of this.?
  thanks

  Kindly review the below links:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• "Allow insecure authentication" not working on mac mail after upgrade to Yosimite

  I recently upgraded to the new Yosemite OS.  Since then, I have not been able to access my ISP's IMAP server. After spending time troubleshooting with the service provider, it seems that the "allow insecure authentication" feature is not working.  The password appears to be sent as a series of "*" which the server can not recognize and I fail the login. It is of note that I am still able to access this email account through my iPhone 4S with all the same settings and had no issues before the Yosimite upgrade. Is there anyway around this issue?

  I had the same problem. Rebooting the computer fixed the issue for me.

• J2EE and user authentication not working

  Hi,
  has anyone gotten the basic/form based authentication to
  work in the latest version of the 9iAS?
  Oracle9iAS (9.0.2.0.0)
  I've read all the posts and articles from orionsupport.com
  BUT it still does not work.
  Support Folks from ORacle: Where is the latest documentation
  for the Server ???? Everything seems outdated??
  cheers,
  Vijay

  Hi,
  You can change User and password through SU01 through UME. and also read SNote:  Note 891614 - Login problems / Expired password
  Regards
  Thomas