SSO not authorized:no login module success

Similar Messages

• SSO not authorized: Authentication failed.

  Dear Experts,
  I made a homogeneous system copy of my BI 70 prod to quality. I followed the steps according to the docs. After the system copy I did applying new licenses( ABAP, Portal, J2ee) , deleting old portal abap certficates, creating them on both portal & abap, exchage the certificates. All done as per the docs
  Now the ABAP engine is trusting the portal. I mean I am able to login into portal.
  But Portal is not trusting the ABAP, I have issues with BEx tools.
  I did many times delete certficates, exchange them manually and using template installer.
  I also followed the Notes
  917950 - SAP NetWeaver 2004s: Setting Up BEx Web
  888687 - BEx Web Java: Analysis of communication/logon problems
  No use, Now I coming back to square one.
  Has anyone has special thoughts on this issue?
  Thanks for your time and help.
  MB

  I did many times delete certficates, exchange them manually and using template installer.
  I also followed the Notes
  917950 - SAP NetWeaver 2004s: Setting Up BEx Web
  888687 - BEx Web Java: Analysis of communication/logon problems
  support desktool as per
  note 937697
  SE38 ( RSPOR_SETUP ).... etc
  All are failing at one point.
  ================================================
  Status 12: Maintain User Assignment in Portal           System failure during call of function module RSWR_RFC_SERVICE_TEST
  This is the error message we are getting on the Java cluster log
  #1.#000255334607006B00000026003D500800044709864436FE#1204006139737#com.sap.engine.services.rfcengine##com.sap.engine.services.rfcengine.handleRequest#J2EE_GUEST#0####522996e0e43111dc9cb8000255334607#SAPEngine_Application_Thread[impl:3]_27##0#0#Error##Plain###java.lang.RuntimeException:
  call FM RSWR_PREEXECUTION_PROXY to ProgId BIQ_PORTAL_BIQ on host
  afgprd01 with SSO not authorized: Authentication failed.
  ===============================================
  No use, No use ....Now I coming back to square one.
  Has anyone has special thoughts on this issue?
  Thanks for your time and help.
  MB

• Java System error: SSO not authorized: authorization Failed

  Hi,
  I am getting the following error while opening a  BEx report designer or WAD and iam unable to design any report or create a dashboard
  "Java System Error: Call to FM BICS_CONS_GET_VIEW_DEF_J_PROXY to ProdId ASEP_PORTAL_E01 on host ASEP wiht SSO not authorized . Authentication Failed"
  System Details:
  BI and EP are installed in Same server
  BI Config:
  softwarwe component   : SAP_BW
  Release :  700
  Patch Level: 0021
  Support Pack : SAPKW70021 (SAP NetWeaver BI 7.0)
  EP config:
  SAP NetWeaver BI 7.0 SP Level 15
  Please suggest .

  It seems that something wrong in integration between JAVA Stack (from where you accessing BW report) a BW back end system. Try to run Support Desk Tool:
  http://<your_server>:<port>/irj/servlet/prt/portal/prteventname/HtmlbEvent/prtroot/com.sap.ip.bi.supportdesk.default
  to see what is wrong in this area.

• About the error: "The account is not authorized to login from this station" when you access NAS devices from Windows 10 Technical Preview (build 9926)

  Scenario:
  With the release of Windows 10 Technical Preview (build 9926), some users may encounter an error message of “The account is not authorized to login from this station” when trying to access remote files saved in NAS storage. In
  addition, the following error log may also be found via Event Viewer:
  Rejected an insecure guest logon.
  This event indicates that the server attempted to log the user on as an unauthenticated guest but was denied by the client. Guest logons do not support standard security features such as signing and encryption. As a result,
  guest logons are vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables insecure guest logons by default. Microsoft does not recommend enabling insecure guest logons.
  Background:
  The error message is due to a change we made in Windows 10 Technical Preview (build 9926) which is related to security and remote file access that may affect you.
  Previously, remote file access includes a way of connecting to a file server without a username and password, which was termed as “guest access”.
  With guest access authentication, the user does not need to send a user name or password.
  The security change is intended to address a weakness when using guest access.  While the server may be fine not distinguishing among clients for files (and, you can imagine in the home scenario that it doesn’t
  matter to you which of your family members is looking at the shared folder of pictures from your last vacation), this can actually put you at risk elsewhere.  Without an account and password, the client doesn’t end up with a secure connection to the server. 
  A malicious server can put itself in the middle (also known as the Man-In-The-Middle attack), and trick the client into sending files or accepting malicious data.  This is not necessarily a big concern in your home, but can be an issue when you take your
  laptop to your local coffee shop and someone there is lurking, ready to compromise your automatic connections to a server that you can’t verify.  Or when your child goes back to the dorm at the university. The change we made removes the ability to connect
  to NAS devices with guest access, but the error message which is shown in build 9926 does not clearly explain what happened. We are working on a better experience for the final product which will help people who are in this situation. 
  As a Windows Insider you’re seeing our work in progress; we’re sorry for any inconvenience it may have caused.
  Suggestion:
  You may see some workarounds (eg. making a registry change restores your ability to connect with guest access).
  We do NOT recommend making that change as it leaves you vulnerable to the kinds of attacks this change was meant to protect you from.
  The recommended solution is to add an explicit account and password on your NAS device, and use that for the connections.  It is a one-time inconvenience,
  but the long term benefits are worthwhile.  If you are having trouble configuring your system, send us your feedback via the Feedback App and post your information here so we can document additional affected scenarios.
  Alex Zhao
  TechNet Community Support

  Hi RPMM,
  Homegroup works great in Windows 10 Technical Preview (9926 build), when I invited my Windows 10 Technical Preview (9926 build) joined in HomeGroup, I can access the shares smoothly:
  My shares settings is like this:
  Alex Zhao
  TechNet Community Support

• Third party SSO with a custom login module

  Hello everyone,
  I've found a few posts on the forum with questions similar to mine, but none have been answered.  I'm using a 3rd party authentication product along with a custom implementation of the AbstractLoginModule interface.
  The setup is standard: A 3rd party agent is installed on a reverse proxy web server to SAP. The agent is configured to protect SAP resources, and it handles the login screens and authentication. Once the user has been authenticated, the AbstractLoginModule implementation kicks in, decrypts and validates an SSO token, retrieves the username from it and creates an SAP Principal.   
  The login ticket template is configured as follows:
  1.  EvaluateTicketLoginModule   SUFFICIENT
                      2.  MyLoginModule                      REQUISITE
                      3.  CreateTicketLoginModule       OPTIONAL
  One of the integration's key requirements is that direct interaction with standard SAP authentication must be avoided.  More specifically, the user should never need to enter an SAP password.  I'm only seeing two problems, both of which violate this requirement.
  The first is in cases where there is no existing SAP user that matches the authenticated user.  In this case, the third party token and SAP Principal are created, the abort method is called, and the user is redirected to the SAP login page.   I need to either bring to user back to the third party login page or to a custom error page~.
  The second problem occurs when an SAP password change is required. Again in this case, an SAP form is displayed after the module has created the Principal (although once the user changes the SAP password, all's well). If I were to disable mandatory password changes, would this apply to fat client access as well? If so, then it's not a viable option.
  The general idea in both instances is that the SAP I'd appreciate any help or suggestions.  
  Thanks
  ~ Since the SSO token applies to applications outside of SAP, I may add a login module parameter to make this a configurable choice. (I.e. allow the administrator to decide whether to inform the user that SAP authentication failed while preserving the SSO token, or to destroy the token and force re-authentication). However, if there is a way to configure the "bad credentials" URL outside of the module's code/parameters, it may be better to place the choice there.

  Hi Julius,
  Thank you for the quick response - and on a Sunday, no less!
  I have considered verifying that the user existed in SAP before creating the Principal.  One might argue that that would be the common sense thing to do.  The reason I've held off is that the error should be so rare that it may not justify the overhead.  There's a requirement to have a one-to-one username mapping between SAP and the authentication application.  It would be more efficient to assume that this requirement has been met and to handle the Exception when it hasn't been.  Of course, that doesn't mean that it's the right way to go.
  +_Julius Bussche wrote:_+
  For the first concern, if they can access the logon page directly (anyway) you could disable it as you do not want any password based logons (right?) and redirect it to your external page or an error page.
  Yes, this is what I'm hoping to do, but I'm not sure how to do it.  Here are some comments and questions about this:
  1. What's involved in disabling the login page?  I would think you'd need to replace it with something else rather than just switch it off.   Could I limit this change to the login ticket template so that other templates (basic authentication, for example) are still available?
  2. Keep in mind that users will never get past the "real" login page unless they have been authenticated.  This complicates matters because we're dealing with a scenario in which the user has already been authenticated but doesn't exist in SAP.  Therefore, it wouldn't make sense to go back to either login page.   
  3. What's involved in redirecting to an external page?  Is this an explicit redirect in the module code, or can it be decoupled from the module?  It's not a big deal, but it would be nice to avoid mandatory module parameters for relative paths to error pages.   
  I think the question I'm after is: "Can I simply change an SAP login URL parameter to point to a custom error page, and allow everything to work as it does now (where SAP handles the redirect)".  If so, could I limit the scope of the change to the login ticket template?  What would be even better is if I could configure SAP's response to this error.  Somewhere, it's currently configured to display the login page.  Ideally, I'd be able to configure it to display myErrorPage, and then set myErrorPage to the appropriate URL.  
  +_Julius Bussche wrote:_+
  For the second concern, I assume that there are no valid passwords involved here which might have expired, so as long as the user does not have the option to activate a password again and anyway cannot logon via password as the option is not presented... then you should be fine here as well with a forward proxy. Not sure which Java APIs are offered here, but you could check this together with the existence check and react to both prior to accessing SAP "from the outside".
  The problem here is that the SAP passwords are needed outside of the integration.  It's true that whether an SAP password has expired is irrelevant to the integration.  However,  this is a Web-based integration; SAP passwords must still be available to users who have access to other clients.  With this in mind, could I create a user password policy that disables password expiration and automatic password change, but only apply it to Web client access?  If not, do you know how I might override SAPu2019s behavior?
  Once again, thank you for taking your time to help me out.  I am very grateful.
  - John

• Custom login module error: Login permission not granted for myapp (myuser)

  I have developed a custom login module for my application. I have followed the steps outlined in security guide and other postings. I could not log into the application when I access EJBs from an RMI client. I get the following error.
  Login permission not granted for myapp (myuser)
  I did grant the login permission to myuser.
  I am using OC4J 10.1.3.1.0
  Here are the steps I followed and the configuration files. Can anybody help me out?
  1. Created a custom login module and packaged it in EAR along with other classes. In the commit method, I added my user into principals of subject. Here is the code,
  ==================================================================
  public boolean commit() throws LoginException {
  try {
  if (!loginOk) {
  return false;
  Set<Principal> principals = subject.getPrincipals();
  principals.add(user);
  loginOk = true;
  } finally {
  // Some audit logs are written here.
  return loginOk;
  ===============================================================
  2. Added custom login module in orion-application.xml. Here are the relevant portions of orion-application.xml
  ===============================================================
  <jazn provider="XML">
  <property name="role.mapping.dynamic" value="true" />
  <property name="custom.loginmodule.provider" value="true" />
  <property name="role.compare.ignorecase" value="true" />
  </jazn>
  <jazn-loginconfig>
  <application>
  <name>myApp</name>
  <login-modules>
  <login-module>
  <class>com.test.myServerLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>maxRetries</name>
  <value>3</value>
  </option>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  <namespace-access>
  <read-access>
  <namespace-resource root="">
  <security-role-mapping name="myUser">
  <group name="users"/>
  <group name="oc4j-app-administrators"/>
  </security-role-mapping>
  <security-role-mapping name="esp_operator">
  <group name="users"/>
  <group name="oc4j-app-administrators"/>
  </security-role-mapping>
  </namespace-resource>
  </read-access>
  </namespace-access>
  ===============================================================
  3. After the application is deployed on the EAR, I can see the custom login module in system-jazn-data.xml. The command line jazn admin tool lists my custom login module for my application.
  4. I have an RMI client, the client JNDI properties are
  ==============================================================
  java.naming.factory.initial=oracle.j2ee.naming.ApplicationClientInitialContextFactory
  java.naming.factory.url.pkgs=oracle.j2ee.naming
  ==============================================================
  The value for java.naming.provider.url is constructed dynamically and it is ormi://myserver:23791/myapp
  java.naming.security.principal is set to the user who is trying to login, myuser, in this case.
  java.naming.security.credentials is set to the password entered by myuser, password in this case.
  5. I used jazn admin tool to grant login permission to my user.
  ===============================================================
  a. Added user
  java -jar jazn.jar -user oc4jadmin -password welcome -adduser jazn.com myuser password
  b. Grant roles
  java -jar jazn.jar -user oc4jadmin -password welcome -grantrole users ja
  zn.com myuser
  java -jar jazn.jar -user oc4jadmin -password welcome -grantrole oc4j-app
  -administrators jazn.com myuser
  c. Grant RMI permission
  java -jar jazn.jar -user oc4jadmin -password welcome -grantperm jazn.com
  -user myuser com.evermind.server.rmi.RMIPermission login
  ===============================================================
  After the permission is granted, the folowing piece of XML is added to system-jazn-data.xml.
  ===============================================================
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <realm-name>jazn.com</realm-name>
                           <type>user</type>
                           <class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
                           <name>jazn.com/esp_administrator</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>
  ==============================================================
  My principal class is not of type, oracle.security.jazn.spi.xml.XMLRealmUser. Hence, I changed system-jazn-data.xml to include com.test.MyUser instead of oracle.security.jazn.spi.xml.XMLRealmUser. Either way, I get Not Authorized and Login permission not granted for myapp (myuser).
  Can anybody help me out, please?
  Thank you,
  Sri
  Message was edited by:
  user532586

  I finally got it to work. But I have a problem granting RMI Permission "login", if the depth of my Principal class within the inheritance hierarachy is more than one. My hierarachy of my principal class is
  Object --> ObjectA --> ObjectB --> ObjectC --> ObjectD
  ObjectD is my principal class. ObjectB implements java.security.Principal. ObjectA has implementations for methods equals, hashcode and toString. ObjectB has implementations for getName.
  When I try to grant RMI permission for ObjectD, I get an error that says null.
  If I override the methods, equals, hashcode, toString, and getName in ObjectD and provide implementations, I still could not grant permission using jazn tool. I get error that says null. If I update the system-jazn-data.xml with the following grant tag, I could get into the application without any errors.
       <grant>
            <grantee>
                 <principals>
                      <principal>
                           <class>com.test.ObjectD</class>
                           <name>developers</name>
                      </principal>
                 </principals>
            </grantee>
            <permissions>
                 <permission>
                      <class>com.evermind.server.rmi.RMIPermission</class>
                      <name>login</name>
                 </permission>
            </permissions>
       </grant>
  If I create a new class, myPrincipal that implements java.security.Principal, I donot have any problems. I can grant permission and access application.
  Any ideas why I could not use ObjectD as my principal class for granting RMI permission?
  Message was edited by:
  user532586

• Urgent: JAAS Login Module Deployment Problem

  Hi,
  I have developed a JAAS Login module for the portal (EP6 SP9 sneak preview) and i am getting the following error:
  GroupAssignmentLoginModuleLibrary does not exist in LoadContextWrapper.modifyName.
  com.sap.engine.services.security.exceptions.BaseSecurityException: Can not load a login Module
  The next line is a ClassNotFoundException for the Login Module and the class found in negative cache.
  Please let me know if you know the solution to this problem.
  It is an urgent issue and a solution will be suitably rewarded.
  Regards,
  Vibhu

  Hi Diego,
  Scenario 1: SAP EP to SAP Backend Integration
        In this scenario the most commonly used strategy
        is SAP logon tickets. As far as I know this is the
        best and simple way to implement SSO.
  Scenario 2: SAP EP to Non SAP systems.
        In this scenario various mechanisms can be used.
        It depends on the application you are integrating
        with. SAP does deliver SSO soultions with Lotus
        Notes and Outlook etc. If supported probably it is
        simple to use the SAP solution [Reliability and
        Support].
  Scenario 3: Enterprise Uses third party authetication
        Software.
        For the authntication if the company chooses to use
        some third party product like SiteMinder etc, then
        you can simply use this solution for SAP EP authe-
        tication, and also all your other enterprise
        applications based on the product support. But SAP
        EP to other SAP systems be best integrated with SAP
        logon tickets.
  Scenario 4: SSO using homegrown authetication or some
        third party JAAS module.
        If you have significant applications that are home
        grown that uses some custom authentication mecha-
        nism (Example: Authentication based on ID and
        Password stored in company database ) you can write
        a JAAS module extention to authenticate using that
        database. In other words JAAS is flexible and
        for using external authentication mechanisms.
  There are several mechanisms available that all depends
  on your internal applications/security mechanism/integration etc.
  Here is the link to one of the good articles on SDN about the SAP supported SSO mechanisms.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/58094632-0301-0010-a391-fc0de26f010e
  Hope this information is useful.
  -Venkat Malempati

• Content Player / Policy Configuration component login modules

  Problem using Content Player u2013 HTTP 401 errors, not authorized
  Because of security concerns, we have modified our login Policy Configuration component, u201Cticketu201D to no longer use the login module u201CBasicPasswordLoginModuleu201D. We use the login module u201CSAMLLoginModuleu201D instead and direct our users through our Shibboleth based identity provider.
  We now are having a problem with the Content Player. We have configured it in http://<server>:<port>/lms/mediator/config with connection information including a username and password for both access to the ABAP system and the CMS user. We also have set SNC.
  With the BasicPasswordLoginModule removed, we get HTTP 401 errors, not authorized. We see this in a pop-up window when we try to run a WBT course and we see it in the trace files.
  When we put the BasicPasswordLoginModule back in place, we can access the course.
  We are looking for a way to redirect the Content Player to a different Policy Configuration component that we can then allow to include the BasicPasswordLoginModule.
  Is this possible?
  Where is the configuration defined that directs the Content Player to use that default Policy Configuration component?
  Can we change it to use a different Policy Configuration component?
  Deb Nugent

  It appears that we cannot (or should not) redirect the login module for the Content Player to something other than the "ticket" login method. Since we require Content Player, we re-added the BasicLoginPassword Module to the "ticket" method of logon. We knew this would allow Content Player to work. We are using other / additional security measures to ensure no one is directly accessing our systems with username/password.
  Thank-you all.
  Deb Nugent.

• BUG: BizTalk Service Portal SSO crash upon re-login

  Tried to re-login under another account on BizTalk Services Portal (biztalksvc12.portal.biztalk.windows.net):
  Server Error in '/' Application.
  IDX10301: The 'nonce' found in the jwt token did not match the expected nonce.
  expected: '635592349230300438.YTc4MDI0NmYtZDAzMy00YWU0LTg1MWItNmM5YjFlM2Q3YWZlNGI3MzdlMjgtMjk2Ni00NTQ3LWJhNzYtMjM4MzQxMmRkNWMy'
  found in jwt: '635592349850407122.ZWQzMWZhMmYtNDA4Zi00YmFmLTkzZWItMWNjZjIxN2ZkYzcwZGE5YTYwMGEtMzc0MC00NmU4LWE2MmYtYTM3NTczMTQ5OWIz'.
  jwt: '{"typ":"JWT","alg":"RS256","x5t":"MnC_VZcATfM5pOYiJHMba9goEKY"}.{"aud":"4b1feced-a36d-4e0a-ad97-d66319026ce6","iss":"https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/","iat":1423637906,"nbf":1423637906,"exp":1423641806,"ver":"1.0","tid":"f8cdef31-a31e-4b4a-93e4-5f571e91255a","amr":["pwd"],"email":"[email protected]","idp":"live.com","altsecid":"1:live.com:0003BFFD9C87345C","sub":"iPCzTHkaDYVLQFhpTjUy-94WITrv-1z4KfvHxe1JOws","given_name":"some","family_name":"some","unique_name":"live.com#[email protected]","nonce":"635592349230300438.YTc4MDI0NmYtZDAzMy00YWU0LTg1MWItNmM5YjFlM2Q3YWZlNGI3MzdlMjgtMjk2Ni00NTQ3LWJhNzYtMjM4MzQxMmRkNWMy","c_hash":"Zp47H1us_GhXgYtxufYbLA"}
  RawData: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiI0YjFmZWNlZC1hMzZkLTRlMGEtYWQ5Ny1kNjYzMTkwMjZjZTYiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mOGNkZWYzMS1hMzFlLTRiNGEtOTNlNC01ZjU3MWU5MTI1NWEvIiwiaWF0IjoxNDIzNjM3OTA2LCJuYmYiOjE0MjM2Mzc5MDYsImV4cCI6MTQyMzY0MTgwNiwidmVyIjoiMS4wIiwidGlkIjoiZjhjZGVmMzEtYTMxZS00YjRhLTkzZTQtNWY1NzFlOTEyNTVhIiwiYW1yIjpbInB3ZCJdLCJlbWFpbCI6ImFsZWtzZXlzQGxpdmUuY29tIiwiaWRwIjoibGl2ZS5jb20iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwM0JGRkQ5Qzg3MzQ1QyIsInN1YiI6ImlQQ3pUSGthRFlWTFFGaHBUalV5LTk0V0lUcnYtMXo0S2Z2SHhlMUpPd3MiLCJnaXZlbl9uYW1lIjoiQWxla3NleSIsImZhbWlseV9uYW1lIjoiU2F2YXRleWV2IiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSNhbGVrc2V5c0BsaXZlLmNvbSIsIm5vbmNlIjoiNjM1NTkyMzQ5MjMwMzAwNDM4LllUYzRNREkwTm1ZdFpEQXpNeTAwWVdVMExUZzFNV0l0Tm1NNVlqRmxNMlEzWVdabE5HSTNNemRsTWpndE1qazJOaTAwTlRRM0xXSmhOell0TWpNNE16UXhNbVJrTldNeSIsImNfaGFzaCI6IlpwNDdIMXVzX0doWGdZdHh1ZlliTEEifQ.VZEdiY0GPhd8Qg4wb0BLQGQnei2MVzUKifPDeklMLAFmHOtuI8mLZxHqMurmuPaGH4bVo3d6QnP7KgyBlqP6D1xocLI89Bwnhd6EfFXOevGCL1svkdBr01gPmh4I2T5GlWR1konBR-iTJ61ekKRd42IjkowuDXtfQ7YaGGlEofBk7EFq-nxGsOUgqEwih9deX7YdOa9War98ggvfwcHOzh0knrPM5gozvHZbaVRbdLsVvD50pJuxLb-YPnGkaSEY2wteRZcypNVsUTlFm9sV9_kSk1VQmqtMktsuV_K-uSDdy_cvRpi6rC8plSB9VZGXQJULj5xGgnc9ukGsq7haPQ'.
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
  Exception Details: Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolInvalidNonceException: IDX10301: The 'nonce' found in the jwt token did not match the expected nonce.
  expected: '635592349230300438.YTc4MDI0NmYtZDAzMy00YWU0LTg1MWItNmM5YjFlM2Q3YWZlNGI3MzdlMjgtMjk2Ni00NTQ3LWJhNzYtMjM4MzQxMmRkNWMy'
  found in jwt: '635592349850407122.ZWQzMWZhMmYtNDA4Zi00YmFmLTkzZWItMWNjZjIxN2ZkYzcwZGE5YTYwMGEtMzc0MC00NmU4LWE2MmYtYTM3NTczMTQ5OWIz'.
  jwt: '{"typ":"JWT","alg":"RS256","x5t":"MnC_VZcATfM5pOYiJHMba9goEKY"}.{"aud":"4b1feced-a36d-4e0a-ad97-d66319026ce6","iss":"https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/","iat":1423637906,"nbf":1423637906,"exp":1423641806,"ver":"1.0","tid":"f8cdef31-a31e-4b4a-93e4-5f571e91255a","amr":["pwd"],"email":"[email protected]","idp":"live.com","altsecid":"1:live.com:0003BFFD9C87345C","sub":"iPCzTHkaDYVLQFhpTjUy-94WITrv-1z4KfvHxe1JOws","given_name":"some","family_name":"some","unique_name":"live.com#[email protected]","nonce":"635592349230300438.YTc4MDI0NmYtZDAzMy00YWU0LTg1MWItNmM5YjFlM2Q3YWZlNGI3MzdlMjgtMjk2Ni00NTQ3LWJhNzYtMjM4MzQxMmRkNWMy","c_hash":"Zp47H1us_GhXgYtxufYbLA"}
  RawData: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiI0YjFmZWNlZC1hMzZkLTRlMGEtYWQ5Ny1kNjYzMTkwMjZjZTYiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mOGNkZWYzMS1hMzFlLTRiNGEtOTNlNC01ZjU3MWU5MTI1NWEvIiwiaWF0IjoxNDIzNjM3OTA2LCJuYmYiOjE0MjM2Mzc5MDYsImV4cCI6MTQyMzY0MTgwNiwidmVyIjoiMS4wIiwidGlkIjoiZjhjZGVmMzEtYTMxZS00YjRhLTkzZTQtNWY1NzFlOTEyNTVhIiwiYW1yIjpbInB3ZCJdLCJlbWFpbCI6ImFsZWtzZXlzQGxpdmUuY29tIiwiaWRwIjoibGl2ZS5jb20iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwM0JGRkQ5Qzg3MzQ1QyIsInN1YiI6ImlQQ3pUSGthRFlWTFFGaHBUalV5LTk0V0lUcnYtMXo0S2Z2SHhlMUpPd3MiLCJnaXZlbl9uYW1lIjoiQWxla3NleSIsImZhbWlseV9uYW1lIjoiU2F2YXRleWV2IiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSNhbGVrc2V5c0BsaXZlLmNvbSIsIm5vbmNlIjoiNjM1NTkyMzQ5MjMwMzAwNDM4LllUYzRNREkwTm1ZdFpEQXpNeTAwWVdVMExUZzFNV0l0Tm1NNVlqRmxNMlEzWVdabE5HSTNNemRsTWpndE1qazJOaTAwTlRRM0xXSmhOell0TWpNNE16UXhNbVJrTldNeSIsImNfaGFzaCI6IlpwNDdIMXVzX0doWGdZdHh1ZlliTEEifQ.VZEdiY0GPhd8Qg4wb0BLQGQnei2MVzUKifPDeklMLAFmHOtuI8mLZxHqMurmuPaGH4bVo3d6QnP7KgyBlqP6D1xocLI89Bwnhd6EfFXOevGCL1svkdBr01gPmh4I2T5GlWR1konBR-iTJ61ekKRd42IjkowuDXtfQ7YaGGlEofBk7EFq-nxGsOUgqEwih9deX7YdOa9War98ggvfwcHOzh0knrPM5gozvHZbaVRbdLsVvD50pJuxLb-YPnGkaSEY2wteRZcypNVsUTlFm9sV9_kSk1VQmqtMktsuV_K-uSDdy_cvRpi6rC8plSB9VZGXQJULj5xGgnc9ukGsq7haPQ'.
  Source Error: 
  An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
  Stack Trace: 
  [OpenIdConnectProtocolInvalidNonceException: IDX10301: The 'nonce' found in the jwt token did not match the expected nonce.
  expected: '635592349230300438.YTc4MDI0NmYtZDAzMy00YWU0LTg1MWItNmM5YjFlM2Q3YWZlNGI3MzdlMjgtMjk2Ni00NTQ3LWJhNzYtMjM4MzQxMmRkNWMy'
  found in jwt: '635592349850407122.ZWQzMWZhMmYtNDA4Zi00YmFmLTkzZWItMWNjZjIxN2ZkYzcwZGE5YTYwMGEtMzc0MC00NmU4LWE2MmYtYTM3NTczMTQ5OWIz'.
  jwt: '{"typ":"JWT","alg":"RS256","x5t":"MnC_VZcATfM5pOYiJHMba9goEKY"}.{"aud":"4b1feced-a36d-4e0a-ad97-d66319026ce6","iss":"https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/","iat":1423637906,"nbf":1423637906,"exp":1423641806,"ver":"1.0","tid":"f8cdef31-a31e-4b4a-93e4-5f571e91255a","amr":["pwd"],"email":"[email protected]","idp":"live.com","altsecid":"1:live.com:0003BFFD9C87345C","sub":"iPCzTHkaDYVLQFhpTjUy-94WITrv-1z4KfvHxe1JOws","given_name":"some","family_name":"some","unique_name":"live.com#[email protected]","nonce":"635592349230300438.YTc4MDI0NmYtZDAzMy00YWU0LTg1MWItNmM5YjFlM2Q3YWZlNGI3MzdlMjgtMjk2Ni00NTQ3LWJhNzYtMjM4MzQxMmRkNWMy","c_hash":"Zp47H1us_GhXgYtxufYbLA"}
  RawData: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiI0YjFmZWNlZC1hMzZkLTRlMGEtYWQ5Ny1kNjYzMTkwMjZjZTYiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mOGNkZWYzMS1hMzFlLTRiNGEtOTNlNC01ZjU3MWU5MTI1NWEvIiwiaWF0IjoxNDIzNjM3OTA2LCJuYmYiOjE0MjM2Mzc5MDYsImV4cCI6MTQyMzY0MTgwNiwidmVyIjoiMS4wIiwidGlkIjoiZjhjZGVmMzEtYTMxZS00YjRhLTkzZTQtNWY1NzFlOTEyNTVhIiwiYW1yIjpbInB3ZCJdLCJlbWFpbCI6ImFsZWtzZXlzQGxpdmUuY29tIiwiaWRwIjoibGl2ZS5jb20iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwM0JGRkQ5Qzg3MzQ1QyIsInN1YiI6ImlQQ3pUSGthRFlWTFFGaHBUalV5LTk0V0lUcnYtMXo0S2Z2SHhlMUpPd3MiLCJnaXZlbl9uYW1lIjoiQWxla3NleSIsImZhbWlseV9uYW1lIjoiU2F2YXRleWV2IiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSNhbGVrc2V5c0BsaXZlLmNvbSIsIm5vbmNlIjoiNjM1NTkyMzQ5MjMwMzAwNDM4LllUYzRNREkwTm1ZdFpEQXpNeTAwWVdVMExUZzFNV0l0Tm1NNVlqRmxNMlEzWVdabE5HSTNNemRsTWpndE1qazJOaTAwTlRRM0xXSmhOell0TWpNNE16UXhNbVJrTldNeSIsImNfaGFzaCI6IlpwNDdIMXVzX0doWGdZdHh1ZlliTEEifQ.VZEdiY0GPhd8Qg4wb0BLQGQnei2MVzUKifPDeklMLAFmHOtuI8mLZxHqMurmuPaGH4bVo3d6QnP7KgyBlqP6D1xocLI89Bwnhd6EfFXOevGCL1svkdBr01gPmh4I2T5GlWR1konBR-iTJ61ekKRd42IjkowuDXtfQ7YaGGlEofBk7EFq-nxGsOUgqEwih9deX7YdOa9War98ggvfwcHOzh0knrPM5gozvHZbaVRbdLsVvD50pJuxLb-YPnGkaSEY2wteRZcypNVsUTlFm9sV9_kSk1VQmqtMktsuV_K-uSDdy_cvRpi6rC8plSB9VZGXQJULj5xGgnc9ukGsq7haPQ'.]
  Microsoft.ApplicationServer.Integration.Services.PartnerManagement.Portal.Global.Application_Error(Object sender, EventArgs e) in d:\bt\131418\private\source\Integration\Services\B2B\PartnerManagement\Portal\Web\Global.asax.cs:87
  System.Web.HttpApplication.RaiseOnError() +215
  Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34009

  I got the same error :
  Java system error: call FM RSRD_X_DISTRIBUTE_PROXY to ProgId SERVER_PORTAL_SID on host SERVER with SSO not authorized: Authenticatio...
  this was caused by the Brodcasting funtionality, the process chain for brodcasting was giving this error each time it was launched  !!
  resolved on my side by changing the Jco connection : WD_ALV_METADATA_DEST to use user/password authentification instead of Logon Tickets !!!!
  Hope it gonna help someone !!
  Regards.
  L. Mourad

• Not able to login with window AD account

  Hi,
  I did all the necessary configuration for windows AD in cmc,
  Here are the steps,
  I did the following configuration to set up the WINDOWS AD,
  1.Configured  the service account for use with the AD plug in.
  a)Created the service principal name (SPN) for service account
  b)Set delegation for the service account.
  2.configured the BI Plateform for use with  the service account
  a)Add SPN to the CMC.
  b)Set the  SIA to run as the service account
                  c) verified that service account and windows AD login  account is
                  working checked that no error message appeared and could see white screen
  I tried login with my AD account credential in to CMC but shows error showing "not authorized to login"
  can any1 please help
  Thanks,
  pavana

  Ambarish,
  is this the Kerberos configuration file, I need to set up
  [libdefaults]
  default_realm = DOMAIN.COM
  dns_lookup_kdc = true
  dns_lookup_realm = true
  default_tkt_enctypes = rc4-hmac
  default_tgs_enctypes = rc4-hmac
  [domain_realm]
  .domain.com = DOMAIN.COM
  domain.com = DOMAIN.COM
  .domain2.com = DOMAIN2.COM
  domain2.com = DOMAIN2.COM
  [realms]
  DOMAIN.COM = {
  default_domain = DOMAIN.COM
  kdc = HOSTNAME.DOMAIN.COM
  DOMAIN2.COM = {
  default_domain = DOMAIN2.COM
  kdc = HOSTNAME.DOMAIN2.COM
  [capaths]
  DOMAIN2.COM = {
  DOMAIN.COM =

• Not able  to add login module to authentication stacks!

  HI Portal Gurus!
  we are implementing siteminder sso integration with portal.
  Iam trying to do following configuration ...
  Modify the ticket authentication template:
  a.)Remove from the stack:
  1)BasicPasswordLoginModule
  2)EvaluateTicketLoginModule
  b.)Add the following modules to the top of the stack, in the order shown:
  SiteMinderLoginModule
  CreateTicketLoginModule
  Iam not able to do either reomove exting one nor add new login module.Iam getting an error"Unable to add login module to authentication stacks! "
  Ilogged in to v.admin as administrator with admin & superadmin roles.
  It would be great if anyone could help me in this .
  Regards
  tag

  Hi,
  in change mode only getting an error.
  error"unable to add login module stack to authentication stacl! details are available in status bar"
  in status bar information below...
  Unable to add login module to the authentication stack!
  java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java(Compiled Code))
       at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java(Compiled Code))
       at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java(Compiled Code))
       at com.sap.engine.services.security.server.AuthenticationContextImpl.setLoginModules(AuthenticationContextImpl.java(Compiled Code))
       at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImpl.setLoginModules(RemoteAuthenticationImpl.java(Compiled Code))
       at com.sap.engine.services.security.remoteimpl.RemoteAuthenticationImplp4_Skel.dispatch(RemoteAuthenticationImplp4_Skel.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
       at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
       at com.sap.engine.services.security.exceptions.BaseSecurityException.writeReplace(BaseSecurityException.java:349)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
       at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
       at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:1057)
       at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java(Compiled Code))
       at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl.throwException(DispatchImpl.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java(Compiled Code))
       at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java(Inlined Compiled Code))
       at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java(Compiled Code))
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
  I would appreciate if anybody could help for resolving this issue.
  Regards
  Tag

• Opinions on implementing a JAAS login module to achieve SSO

  We are looking at implementing SSO from a sharepoint website to the portal.  The users who are accessing the Sharepoint site are using their own computers and are not members of the AD Domain, so they could theoretically be using any computer in the world to access Sharepoint.
  the desired user experience looks something like this.
  user--login> sharepoint site -no login--
  >portal
  One of the methods we are looking at to achieve this is to implement a custom JAAS login module that would authenticate the user if they are coming from the Sharepoint site.
  I would like to get your opinions on how viable you think this method is.  One of the goals of this method is ease of implementation, so if you can think of an easier way to implement this please let us know.
  the method is basically this.
  1. User logs into sharepoint using their AD username and password and establish an active session with sharepoint
  2. user navigates to a link in sharepoint that points to a resource in the SAP Portal
  3. we don't want the user to have to login to access the resource when they click on the link
  4. to facilitate this, sharepoint has constructed the link in the following way
  5. the link is an https link
  6. the link has two additional parameters in addition to whatever is necessary to navigate to the resource
  7. the parameters are
  8. un = the users AD username
  9. uh = sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + "username")
  10. the user clicks the link and is directed to the SAP portal
  11. the sap portal has a custom JAAS login module which performs it's checks before the other login modules
  12. the custom module computes ( sha1("secret_password_known_to_both_the_login_module_and_sharepoint" + un)) and then compares the result with uh, if they are equal, the custom login module authenticates the user bypassing any further need for authentication, otherwise authentication passes to the original authentication modules as normal.
  If you think there is an easier way, please let us know.  We are essentially looking for the easiest/fastest way to implement this functionality that is still secure.

  Hey Gary,
    I'm currently using Apache running on RedHat that leverage Apache's mod_rewrite module. I've got a bank of 6 reverse proxies sitting in front of an SAP Portal and each proxy runs on a host with dual 3.33GHz processors and 8Gb or RAM. I know... they're waaay over-sized and they pretty much snooze all day.
    This is the sole entry point for all SAP users and we sized them to accommodate the "worst case" of about 5000 (potential) named users, concurrently. Realistically, we've only ever had about 1500 unique users hitting the systems in a day (following an upgrade go-live, everybody is curious and wants to log on) and a typical load of about 500 to 750 users in a day.
    Never had a real performance problem to speak of. As long as the proxies are tuned properly (ssl cache, sessions, etc.), you should be fine.
    Setting header variables and some other "custom stuff" is handled in Perl (need Apache's mod_perl active). We've got a script that's called by all users before being passed to the Portal.
    We used IISProxy.dll with an IIS web server a long time ago (5 years maybe?) but opted to can it in favor of the approach described above.
    If you ask SAP, they'll recommend you use a WebDispatcher... and that's certainly an option as well.
  -Kevin

• OAM 10g - access to resource is not authorized, but no login form displayed

  Hi,
  Here's another one. Let's say I access some (protected) page which redirected me to login form page. Login form page immediately creates a obssocooke (for user obanonymous). Instead of logging in, I just change URL to my protected application (I actually did it because I changed my mind and not while purposely testing).
  I am getting "not authorized" error, instead of being redirected to login page. This is very confusing and bad user experience. The obssocookie appears to point to a valid session (I checked status in my app for user session and it appears to be ObUserSession.LOGGEDIN) but obviously the user anonymous is not authorized.
  So the question is - Is there any way OAM would not create a valid session cookie for anonymous user when I just load login form page? How do you guys solve this issue? Should I somehow use auth level?
  Thanks,
  Alex

  Hi Sagar,
  What you've described is exactly my intention. I want only users with auth level > 0 to access the protected application. Plus for the resource I define my form based login as default authentication scheme (which has level=1). I think that the issue is that I protect the application with my own access gate (not a web gate). And there I have the following logic:
  if(sso cookie is present and status of the session = "logged in") then validate whether user has access to the requested resource. So in my case the sso cookie is found, and belongs to anonymous user, session state = logged in, and I fail at authorization check. I think I need to implement some kind of auth level check, or compare actual user's auth scheme with the one required for the resource, right?
  Thanks,
  Alex

• Custom login module and SSO using 10.1.3.3

  We are using ADF 10.1.3.3 to build applications and recently a requirement from a customer was to use LDAP for authentication but use internal application tables for authorisation. So essentially the username and password will be in LDAP but all the roles definition are in the application. This is because the LDAP directory has tight controls on contents and is used enterprise wide.
  I created a proof of concept to address this requirement using the examples at
  http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
  and also
  http://technology.amis.nl/blog/1462/create-a-webapplication-secured-with-custom-jaas-database-loginmodule-deploy-on-jdeveloper-1013-embedded-oc4j-stand-alone-oc4j-and-opmn-managed-oc4j-10g-as
  specifically using DBProcLoginModule to call a database package.
  The PL/SQL package I created used DBMS_LDAP to call an LDAP directory with the username and password to check authentication and then used internal application tables to get the authorisation details required.
  All this worked very well. I tested on both the embedded OC4J and also standalone OC4J.
  Then one of my peers said will this work with SSO? Specifically we use Oracle OID as we have SSO for Forms and Reports.
  My experience with SSO has been with Oracle OID and having all the user and role details stored within OID.
  So my issue now is can I integrate the custom login module approach I have used with SSO? My knowledge of SSO and OID is limited so I'm not sure how (or if) it would interact with a custom login module. Are the two mutually exclusive?
  Any guidance is appreciated.
  Regards,
  Adrian

  Hi,
  this question should be posted to the Oracle Application Server forum or the security forum. However, based on my findings and experience in this area, I don't think that SSO is integrated with custom LoginModules since the integration would need to be coded in the LoginModule.
  Frank

• Error message:  Cannot sync songs purchased in iTunes to iTouch because computer is not authorized.  I go in and authorize computer (only computer I have ever used for iTunes), seems to be successful.  Then I try to sync again and it gives same error mesg

  It just goes in a circle.  This computer not authorized to sync purchased songs to iTouch.  Follow directions to authorize computer, seems successful.  Sync again and it comes up with the same error message....this computer not authorized to sync iTune purchases to iTouch.  I have deauthorized the computer and reauthorized and it didn't make a difference.  I updated and restored to factory settings.  Still same error message.  I have had this problem the last 2 times I have synced.  Worked previously.  Any ideas??

  additional info:  I looked into similar complaints.  1 suggested that something is wrong with the files.  Delete them off of computer and divice (but they are not on my divice anymore) and then download them again from iTunes purchase history.  Went in to check iTunes purchases to make sure the songs would be there if I did follow these steps.  Well, NONE of them are in my purchase history.....probably the real problem here.  I had an original iPod Nano and then upgraded to my current iTouch.....same computer for both.  Could there have been a problem at the point of switching over to the iTouch?  That doesn't make sence to me because it is through iTunes and it was the same account for both.  I thought I'd be smart and put all the songs in a playlist and burn to a CD and them load them back in that way.....but I was not authorized to burn to a CD....go figure.  Any idease would be great!!