SSO in Clustered Environment using Trusted Authentication

Hi All,
We have setup a clustered BOE 3.1. Our setup is clustered CMS's and remaining servers clustered on 2 separate machines. A cluster of 2 Weblogic managed servers as the web tier. We are using Novel Access Manger to load the balance between to Weblogic managed servers.
Now how to setup Single Sign-on in this environment. Can we simply do the trusted authentication. For this do we just have to enable the trusted authentication and give the shared secret in CMS1. And change the web.xml at <DeployedLocation>\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF at CMS1.
Please advice.
Thanks,
Rakesh

Trusted auth will not work without a shared secret. You specify it once in the CMC > authentication, Enterprise and on each web/app in a TrustedPrincipal.conf file. This is only half the battle as you have to select the method you are supplying the username and then provide the username via 3rd party (these steps are not documented except for remote_user and query_string)
Regards,
Tim

Similar Messages

  • Invalid Login Using Trusted Authentication

    My productive database server always report "Invalid Login Using Trusted Authentication" in udump. Could you tell me what is mean? would it influent oracle running?

    Can we test a single connection using SQL authentication and If still persist, you have to double check that credential
    if it is still trying to connect SQ Server and identify if it is hitting the
    same DB on the same server or other DBs  since I do think this errors is related to other DBs
    Kindly work out  it and please let know me your feedback                                               
    Shehap (DB Consultant/DB Architect) Think More deeply of DB Stress Stabilities

  • Open document SSO using trusted authentication.

    Hi ,
    I have a issue,
    We configured trusted authentication with SSO and it is working fine.
    Now we want to configure open document SSO for trusted authentication.
    We are using Remote _ user method for trusted authentication.
    Any one please help me on this.
    Thanks for your help advance.
    Thanks & Regards,
    Collin.

    The same settings in the infoviewapp web.xml must be applied on the opendocument web.xml. Also you must be on XI 3.1 FP1 or higher. There is currently an Edge issue being investigated.
    Regards,
    Tim

  • Single Signon using Trusted Authentication - version 3.0

    There was good documentation on this in version 2 but looks like 3.0 it was just copied and not much added.
    I am using the ISAPI redirector and have figured out the single signon but it logs in to the little window that use to contain the login when no sso is enabled.
    So, what piece am I missing?  Do I need a newer ISAPI redirctor?

    "madhav" <[email protected]> wrote in message
    news:3fa67a2c$[email protected]..
    >
    We are trying to enable single sign-on through perimeter authentication.We are
    trying to
    accomplish the same using DefaultAuthenticator andDefaultIdentityAsserter. We
    have the
    following questions
    1. Weblogic documentation says that the following authentication types aresupported
    username/password, certificate and perimeter. Where do I set the perimeterauthentication
    >
    type Ex: In web.xml, I can specify basic, Form or Client-Cert as the authmethod.
    How do I
    specify that the authentication method is perimeter based.
    You use client-cert. This causes the servlet container to look for identity
    assertion tokens
    in request headers and cookies. There is a CR to separate this from the
    authentication
    method.
    2. How do I create a token for the DefaultIdentityAssertor.
    Upon investigation in the AssertIdentity method of theDefaultIdentityAssertor,
    the code
    snippet from DefaultIdentityAssserterProvideImpl.java is the following
    You define your token format and implementation and then write a
    corresponding
    identity asserter. It handles the tokens, not the default identity asserter.
    >
    Is there a mechanism to generate the token for the AuthenticatedUser tokentype.We
    are
    trying to pass the token as a part of the HTTPHeader using the
    URLConnection.setRequestProperty("AuthenticatedUser",tokenString"). Wetried two
    >
    The authenticated user token type really should have been internal and not
    exposed as
    a token type. Don't use it - define your own token type.
    See the dev2dev security provider samples for an example of how to do this.

  • Trusted Authentication

    Is it possible to open session with BO server using Trusted Authentication?
    Regards,
    Aleksejs

    Yes, you can.  (I only have the java code summary - but it should give you an idea for what to do in .NET)
    SYNOPSIS:
    How to use Trusted Authentication with SSO to InfoView using Enterprise Session?
    There may be a situation where only the enterprise username is known in the custom application. Trusted Authentication can come pretty handy.
    SOLUTION:
    Setup the Trusted Authentication first:
    I. Enable Trusted Authentication in BOE.
    1. Logon to Central Management Console with Administrator
    2. Click on "Authentication"
    3. Check the "Trusted Authentication is enabled"
    4. Enter the "Shared secret"
    5. Click Update
    II. Create/edit TrustedPrincipal.conf
    1. Create or open C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterpise\TrustedPrincipal.conf
    2. Type in u201CSharedSecret=<shared secret value>u201D (without double quotes)
    3. Save the file.
    III. Deploy custom JSP
    1. Create a JSP in <webapps>/businessobjects/enterprise115/desktoplaunch/InfoView/logon.
    2. Cody and paste in the following code:
    <%@ page import = "com.crystaldecisions.sdk.framework.CrystalEnterprise"%>
    <%@ page import = "com.crystaldecisions.sdk.framework.ISessionMgr"%>
    <%@ page import = "com.crystaldecisions.sdk.framework.IEnterpriseSession"%>
    <%@ page import = "com.crystaldecisions.sdk.occa.security.ILogonTokenMgr"%>
    <%@ page import = "com.crystaldecisions.sdk.framework.ITrustedPrincipal" %>
    <%
    // Logon to CMS using without password
    ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
    ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");
    IEnterpriseSession enterpriseSession = sessionMgr.logon(trustedPrincipal);
    // Store Enterprise session in HttpSession     
    session.setAttribute("MyEnterpriseSession", enterpriseSession);
    // Construct URL and redirect to InfoView start page.
    // ivsEntSessionVar is the reference to the HttpSession variable.
    String url = "http://<server name>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/start.do?ivsEntSessionVar=MyEnterpriseSession";
    response.sendRedirect(url);
    %>
    3. Go to the URL http://<servername>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/logon/<JSP file>.jsp
    Note: JSP does not have to be in /desktoplaunch/InfoView/logon folder but JSP should be in >/businessobjects context.
    Extra Note -
    A new API method has been introduced with BEXI R2 MHF1 for Trusted Authentication that removes the need for the TrustedPrincipal.conf file.  You can now specify the shared secret using the following method:
    ISessionMgr.createTrustedPrincipal(java.lang.String userName, java.lang.String cmsName, java.lang.String sharedSecret)
    So, you can eliminate Part II from the steps above and use this method call:
    ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>", u201Csharedsecretu201D);
    instead of the old method:
    ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");

  • Cluster and trusted authentication

    I am using trusted authentication to log into BO server. Everything is set up correctly and working fine even with BO cluster.
    Recently, we created another cluster with separate set of servers. When try to connect to this cluster (using the cluster name) very weird thing is happening.
    When I try to log in using token - first attempt succeeds, second attempt fails, third succeeds, fourth fails..and so on.
    My doubt is that somehow two servers on the cluster are not communicating properly. So, if a token was generated for one server, it doesn't connect to another server. Has anyone seen anything like this before?  Where should I start looking in the cluster setup?

    Tokens aren't cluster member specific.
    You've mentioned Trusted Authentication and tokens, but token generation is separate from authentication, so what's the exact workflow going from Trusted Auth to token generation to token use?
    Sincerely,
    Ted Ueda

  • Trusted Authentication possible with Wed Sevices SDK? BOE - 3.1

    Hi,
    We are planning to upgrade to BOE 3.x. We have integrated our application with BOE using Wed Services SDK. I'd like to know if we can implement the trusted authentication using the web services APIs in BOE 3.x.
    Apparently the question was posted here before but no answers -
    Re: trusted authentication.
    Thanks
    Manas

    XI 3.1 Service Pack 2.
    Configure Trusted Authentication on the CMC.   Ensure TrustedPrincipal.conf file with the shared secret is in the <INSTALL>/BusinessObjects Enterprise 12.0/win32_x86 folder.
    If you look in dswsbobje/WEB-INF/classes/dsws.properties, you'll see a property trustedAuthentication.enabled set to false.
    Set it to true, then restart the dswsbobje Java Web Application Server.
    Then you only need to pass in domain (CMS name) and username to the Session Web Services for logon.
    Note that if you do the above, it'll use Trusted Authentication for all requests coming into dswsbobje - i.e., no longer need to pass in passwords.
    So you really need to put something in front of dswsbobje, to authenticate any requests going in.
    Sincerely,
    Ted Ueda

  • Trusted authentication from two systems to BOXI

    Hi,
    We have a system that currently uses trusted authentication to direct users to infoView.  Is it an option for us to use trusted authentication from SharePoint to BOXI at the same time? BOXI 3.1 SP5.
    Thanks,
    Sam

    Hi Sam,
    Looks like this is possible. Please refer
    http://help.sap.com/businessobject/product_guides/boexir31SP4/en/xi31_sp4_ivforsp_admin_en.pdf
    I can see tags related to trusted authentication in the guide.
    Hope it helps.
    Regards
    Chinmaya

  • Trusted Authentication with Web Services SDK

    Hi,
    I have just configured my BO server to use Trusted Authentication (REMOTE_USER) and It works with Infoview so I don't need the logon page to enter user and password.
    I also have an .NET application that uses Web Services SDK and I would like to use Trusted Authentication on it.
    Is there any code to access to BO using Web Services SDK?
    Before the configuration, I was using this code:
    string m_strURL="http://server:8080/dswsbobje/services/Session";
    BusinessObjects.DSWS.Connection oConnection = new BusinessObjects.DSWS.Connection(m_strURL);
    BusinessObjects.DSWS.Session m_wiSession = new Session(oConnection);
    BusinessObjects.DSWS.Session.EnterpriseCredential oEC = new EnterpriseCredential();
    oEC.Login = strLogin;
    oEC.Password = strPassword;
    oEC.AuthType = "secLDAP";
    SessionInfo oSI = m_wiSession.Login(oEC);
    Now, I want to use Trusted Authentication in my .NET application so I wouldn't have to enter user and password.
    I have looking for some code, but I haven't found it yet. I hope you could help me.
    Thanks,
    Sandra

    Hi, Ted,
    I'm trying to use Trusted Authentication to access QaaWS (via WSDL/Axis, NOT Xcelsius).  I enabled it from CMC, put the shared secret in a correct location (win32_x86 directory) and made the change to dsws.properties file, then I restarted tomcat.  However, the system failed to login.  Below is the trace log.  Is Trusted Authentication supported for QaaWS?  Thanks!
    <br/>
    =======
    <br/>
    2010-02-18 14:09:20,781 [http-8080-Processor25] ERROR com.businessobjects.qaaws.internal.transport.QaaWSServlet () 297906 - invoke()
    java.lang.Exception: com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
    cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
    detail:Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
    The server supplied the following details: OCA_Abuse exception 10498 at [.\secpluginent.cpp : 832]  42040 {}
         ...Invalid password
         at com.businessobjects.qaaws.internal.webi.WISessionMgr.makeSession(Unknown Source)
         at com.businessobjects.qaaws.internal.transport.QaaWSServlet.invoke(Unknown Source)
         at com.businessobjects.qaaws.internal.transport.QaaWSServlet.doPost(Unknown Source)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:595)
    Caused by: com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
    cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
    detail:Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
    The server supplied the following details: OCA_Abuse exception 10498 at [.\secpluginent.cpp : 832]  42040 {}
         ...Invalid password
         at com.crystaldecisions.sdk.exception.SDKServerException.map(SDKServerException.java:107)
         at com.crystaldecisions.sdk.exception.SDKException.map(SDKException.java:196)
         at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:710)
         at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:295)
         at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:162)
         at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon(SessionMgr.java:425)
         ... 19 more
    Caused by: com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
         at com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuseHelper.read(oca_abuseHelper.java:106)
         at com.crystaldecisions.enterprise.ocaframework.idl.OCA.OCAs._LogonEx4Stub.UserLogonEx4(_LogonEx4Stub.java:80)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:585)
         at com.crystaldecisions.enterprise.ocaframework.ManagedService.invoke(ManagedService.java:424)
         at com.crystaldecisions.sdk.occa.security.internal._LogonEx4Proxy.UserLogonEx4(_LogonEx4Proxy.java:222)
         at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:347)
         at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)
         ... 22 more
    org.apache.axis2.AxisFault: org.apache.axis2.databinding.ADBException: Unexpected subelement table
         at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
         at service.wsdl.heartFailure.HFReliabilityScoreStub.fromOM(HFReliabilityScoreStub.java:4131)
         at service.wsdl.heartFailure.HFReliabilityScoreStub.runQueryAsAService(HFReliabilityScoreStub.java:201)
         at org.apache.jsp.AuthTest_jsp._jspService(AuthTest_jsp.java:78)
         at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
         at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
         at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
         at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:595)

  • LDAP Trusted Authentication XI 3.1

    Does anyone have updated documents for XI 3.1 to use Trusted Authentication with LDAP.  We are looking into the Configuring Trusted Authentication using the IIS/Tomcat Bridge, but the document is designed for XIR2.  On page 6 it says the Trusted Authentication will work with any authentication method but while trying to configure it with LDAP I am getting the error: LDAP Authentication has not been configured to use single sign on. Please contact your system administrator. (FWM 00008)
    Thanks for the help.

    Does anyone have updated documents for XI 3.1 to use Trusted Authentication with LDAP.  We are looking into the Configuring Trusted Authentication using the IIS/Tomcat Bridge, but the document is designed for XIR2.  On page 6 it says the Trusted Authentication will work with any authentication method but while trying to configure it with LDAP I am getting the error: LDAP Authentication has not been configured to use single sign on. Please contact your system administrator. (FWM 00008)
    Thanks for the help.

  • How do we use SSO for both Windows AD and Trusted authentication?

    We want to have the majority of our users access the BO 4 BI Launchpad using SSO with Windows AD authentication.  We have set this up and it's working ok.  We also have a subset of external users and need to configure SSO with Trusted authentication for their Enterprise accounts.  Support says we can only have SSO for one authentication type.  I'm assuming we can work around this by installing a 2nd Tomcat instance on our Linux server.  Has anyone done this type of config successfully?  Any other ideas would be greatly appreciated.  Thanks!

    Hi Collins,
    BOE's CMS can be accessed from multiple application servers.
    Please have a look on this new article [here|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00240702-8343-2f10-ed9a-85ece14c93db] .
    You may use this method for other application servers(not only NW) but just dont add the file "web-j2ee-engine.xml" as its not  needed.
    regarding sections 4.2.4 on the document, On one application server just set "authentication.default" property under the file BIlaunchpad.properties, to "secWinAD"(for win AD). and on the other set it to "secEnterprise".
    please report any problems you may encounter,
    thanks,
    Idan

  • MOBI SSO with trusted authentication and form based authentication

    Dear All,
    I am trying to configure Trusted authentication based SSO FOR MOBI, here are the details:
    - SAP BI 4.1 SP04
    - Trusted authentication with HTTP header configurred for BI Launchpad and working fine.
    Now to have SSO from Mobile, I plan to leverage the existing configuration of BI Launchpad and at Mobile level, I want to use authentication type as TRUSTED_AUTH_FORM, instead of TRUSTED_AUTH_BASIC, with the approach: Trusted authentication with HTTP header.
    And
    Provide our app users their X502 certs.
    1. Will the above approach work ??
    2. As per SAP NOTE: 2038165 - SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920 this does not work and is still under investigation from July last year ? So for any community member, has this been found working ??
    I would appreciate your valuable inputs.
    Regards,
    Sarvjot Singh

    Hi,
    According to your post, my understanding is that you want to know the difference of the SharePoint three type user authentications.
    Windows claims-based authentication uses your existing Windows authentication provider (Active Directory Domain Services [AD DS]) to validate the credentials of connecting clients. Use this authentication to allow AD DS-based accounts access to SharePoint
    resources. Authentication methods include NTLM, Kerberos, and Basic.
    Forms-based authentication can be used against credentials that are stored in an authentication provider that is available through the ASP.NET interface
    SAML token-based authentication in SharePoint 2013 requires coordination with administrators of a claims-based environment, whether it is your own internal environment or a partner environment.
    There is a good article contains all the SharePoint Authentications, including how they work and how to configure.
    http://sp77.blogspot.com/2014/02/authentication-in-sharepoint-2013_5.html#.VFcyQ_mUfkJ
    Thanks & Regards,
    Jason
    Jason Guo
    TechNet Community Support

  • Trusted Authentication using QUERY_STRING

    Hi All,
    We are trying to configure the Trusted Authentication using Query_String in XIR3.1
    We have customer portal ,where in login to custom web page and click on the link which routes to Infoview.We are configuring sso to bypass the credentials from webportal to Infoview home page.
    We have created a paramerter to pass the user information.We have made all the required changes for configuring trusted authentication,like:
    1) Enable Trusted Authentication in cmc.Enter shared secret in cmc
    2) Make changes to the web.xml file
    3) Create TrustedPrincipal.conf file
    In web.xml file we gave "trusted.auth.user.retrieval" as "QUERY_STRING" & "trusted.auth.user.param" as the parameter value we are using to pass the user information.
    If the parameter we are using is "MyUser" to pass the user information ,After configuring, we noticed that ,when we launch the url, "http://host:8080/InfoViewApp/logon/logon.do?MyUser=<username>"  we can directly login to Infoview without giving any credentials.We are not sure if we are moving in right direction? Is this how the QUERY_STRING work?
    We also noticed that,instead of giving any username if we give any other value the infoview home page opens up with Guest account?
    Thank you,
    Bill

    You should disable guest when using any method of SSO. Then anything placed in the URL other than a proper user would fail. And yes this is exactly how query string works (the username must be supplied in the URL). If looking for a more dynamic/secure method you will need to combine with a front end authenticator such as IIS, siteminder, etc and use one of our other methods such as remote_user, http_header, etc
    Regards,
    Tim

  • Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

    I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
    up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
    server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
    installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
    from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
    is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
    and how to correct it?

    Hi,
    Based on my research, this is a known issue in Windows Server 2012 R2.
    According to the article below: “The Selective Authentication feature of selective trusts is
    not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
    Release Notes: Important Issues in Windows Server 2012 R2
    http://technet.microsoft.com/en-us/library/dn387077.aspx
    Best Regards,
    Amy Wang

  • Query regarding database access segregation using os authentication in windows environment

    Hi ,
    I have a query regarding database access segragation using os authentication (like sqlplus "/ as sysdba") in windows environment.Let me briefly explain my requirement:-
    Suppose you have two DBA`s viz DBA1 and DBA2 and 4 databases resideds in a windows server say A,B,C & D.Now I want to set up such a way if DBA1 logs into the server then he can login to database A and B only using OS authentication and DBA2 can login to database C and D only using OS authentication.
    Please let me know how to do setup for this requirement.
    Database version is 11.2.0.3

    1494629, I am not a Windows person but if there is any way to do this I suspect some additional information is necessary:
    Are the DBA users members of the Administrators Group ?
    Do all 4 database share the same $ORACLE_HOME ?
    I suspect if either answer above is yes then this is not possible, but like I said I am not a Windows person.  I would just ask for two servers and the associated licensing to be acquired.  The requirement to spend money to do something management wants usually elimanates the request in my world.
    HTH -- Mark D Powell --

Maybe you are looking for