SSO to IIS

Similar Messages

• Java SSO and IIS

  This is a repeat of this post: Java SSO and IIS
  Noone answered there.
  Hello,
  my organization uses Java SSO authentication in Oracle Application Server. Now we want to "expand" SSO so that our IIS applications can benefit from Oracle SSO and user needn't print user name / password again. Is there any way to use Java SSO in IIS? In this project we use Java SSO, not Oracle Identity Management.
  Thanks in advance

  Hi ,
  I was installed and configured policy agent successfully.while i am trying to access the application url i am getting following error.
  I am using IIS6.0 and access manager 7.1.
  Error 2824:15b9918 AuthService: AuthService::processLoginStatus() Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp.
  2009-03-10 00:03:05.828 Error 2824:15b9918 PolicyEngine: am_policy_evaluate: InternalException in AuthService::processLoginStatus() with error message:Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp and code:3
  2009-03-10 00:03:05.828 Warning 2824:15b9918 PolicyAgent: am_web_is_access_allowed()(http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html, GET) denying access: status = Access Manager authentication service failure
  2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html.
  2009-03-10 00:03:05.828 Info 2824:15b9918 PolicyAgent: am_web_is_access_allowed()(http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html, GET) returning status: Access Manager authentication service failure.
  2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: HttpExtensionProc(): status after am_web_is_access_allowed = Access Manager authentication service failure (3)
  2009-03-10 00:03:05.828 Error 2824:15b9918 PolicyAgent: HttpExtensionProc(): status: Access Manager authentication service failure (3)
  2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: OnSendResponse(): HTTP Status code is 500
  can any one please help me to resolve this.
  Thanks
  Ramesh Kumar GV

• SSO and IIS 7.5

  Does anyone have advice on how to configure JBoss 7.1.1.Final to successfully enable SSO using IIS 7.5 with integrated windows authentication. This used to be a simple process on CCP 9.3.2 but I've had no luck configuring JBoss 7.1.1.Final to use the SSO. The logs just always say the "LoginId not found for SSO in HttpHeader".
  I've successfully setup the redirect from IIS using the isapi filter to connect to the CCP application but have not gotten any further.
  I believe the standalone-full.xml file needs to be altered in someway to enable the SSO, any ideas?

  Hi
  We have resolved this issue, this is a known bug with JBoss 7.1.1 where the headers aren't passed through correctly. TAC had provided us with a patched version of the JBoss JAR file to resolve this.

• 10g - how to configure sso with iis-

  hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
  but I always meet this message.
  Not Logged In
  You are not currently logged in to the Oracle BI Server.
  If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
  what steps are missing?
  how to check?

  hi, experts,
  I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
  at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
  however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
  any setup on IIS are wrong? thank you very much!
  =========================================================================================
  Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
  Type: Error
  Severity: 40
  Time: Thu Feb 17 14:48:46 2011
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-1,1;ThreadID-1796
  Location:
       saw.odbc.connection.open
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Thu Feb 17 14:48:46 2011
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1796
  Location:
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  ---------------------------------------

• BI Publisher - SSO and IIS

  Does anyone happen to know if SSO with the web server as IIS be an issue when trying to use BI Publisher? We are getting an error when trying to log into Publisher with SSO enabled (works fine with RPD Security). I have looked at the documentation and it has a section for updating an Apache file but I can find nothing with using it with IIS.

  Ummm, I am not sure how you are using BIP under IIS since according to the [System Requirements and Supported Platforms|http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/e10417.pdf] PDF BIP is suported under IIS via the Oracle Application Server Proxy Plug-in:
  Microsoft IIS is supported as an HTTP server for Oracle Business Intelligence Publisher and Oracle Business Intelligence Office Server via the Oracle Application Server Proxy Plug-in. Oracle Business Intelligence Publisher and Oracle Business Intelligence Office Server require a J2EE Application server*
  So you must have OAS installed in your system.

• NTLM SSO is not working using IIS

  Hi,
  We have unable to login to the infoview using SSO getting u201C page canu2019t found u201C error.
  1. We can  login to the infoview using AD authentication when tomcat as the application server but we are  unable to login to the infoview using SSO when IIS as the application server.
  2. If we select  the option called u201Cintegrated windows Authenticationu201D under internet options then the  SSO is not working and if we  uncheck the u201Cintegrated windows Authenticationu201D in the internet options then we are  able to login to the infoview using SSO.We are  able to login to the infoview using SSO on another environments and the working and problematic environments we  Configured IIS6, XI2 SP4.
  4.We tried to login to the infoview using http://servername instead of entire URL however we are getting error.
  5.We restarted IIS but no use.
  6.Our admin follow the below options-
  Open a registry editor, such as Regedit.exe or Regedt32.exe.
  Navigate to:
  HKLM\System\CurrentControlSet\Services\HTTP\Parameters
  Right-click Parameters, select New | DWORD value, and then name the value MaxFieldLength.
  Right-click Parameters, select New | DWORD value, and then name the value MaxRequestBytes.
  In the right pane, double-click MaxFieldLength, and then set its value to 32768 (decimal).
  In the right pane, double-click MaxRequestBytes, and then set its value to 32768 (decimal).
  Close the registry editor and restart the IIS Admin service for the change to take effect.
  But we are getting same problem.
  7.We  tried  to login to the infoview using http://localhost but issue still persists.
  8.We installed jakarta redirector.Is this root cause of this issue?
  9.We selected  intigrated windows authentication under default websites and i am sure i gave all the options under internet information  manager.
  Any one please help on this.
  My environment is-
  BOXIR2 SP4,
  NTLM SSO,
  Windows 2003,
  IIS6.

  "We tried to login to the infoview using http://servername instead of entire URL however we are getting error"
  What's the error using the hostname for SSO with integrated windows authentication enabled on only the infoview virtual directory?
  Regards,
  Tim

• SSO implementation through IIS proxy

  I am  implementing SSO through IIS proxy. when I tried add the iis_sso.dll to IIS ISAPI filters tab, Its showing red color(which says that it is inactive). Please tell me how to make it green (Active).

  Ramesh,
  Which version of EP? I am assuming as well you have IIS 6.0? Also, ISAPI.dll is no longer supported.
  James

• OBIEE 10G SSO Issue

  HI
  We have configured OBIEE 10g on IIS (ver-6) server. We have a business requirement where we need to integrate OBIEE with another ASP.NET application. So, user should log in once and to view OBIEE reports he should not log in again.
  Now we have checked GO URL option given in Chapter 11 of Oracle® Business Intelligence Presentation Services Administration Guide. But problem is our company policy does not allow us to pass Password in HTTP URL. So we cannot use that solution.
  We are trying to use SSO and referred to Chapter 8 of Deployment Guide. We followed all the steps give in that chapter
  Also, we modified isapiconfig.xml and entered <CredentialStore> paramaters in it.
  But when we Go to Analytics URL (for remote machine) Login screen show "Not Logged In" message.
  currently we are using REMOTE_USER method as it is given in documention.
  So we did everything by the book. Now my question is:
  1) We do not have any SSO server/Product, is there is any way we can integrate OBIEE application to other ASP.Net application on another IIS SERVER? There was a suggestion that if we pass remoter_user parameter in HTTP header, is it possible to work this way.
  2) Is it possible that if we host both the ASP.NET and OBIEE 10g on SAME IIS server there is way to integrate them using SSO without any SSO server again by passing remote_user HTTP header
  3) What options do we have to integrate ASP.NET application and OBIEE without using SSO server itself and without using GO url method as we cannot pass password in header. Will Cookie Enabling Method can work in this scenerio.
  4) Is there is way that OBIEE directly take windows ID without SSO server, I know question might sound stupid as in prerequisite i read that we need “SSO system of Choice” but we need to be absolutely sure about our option and possibilities.
  we also reffered to following thread:
  10g - how to configure sso with iis-
  But, this one seems to be unresolved So kindly help
  Regards
  Saurabh

  Hi Praveen,
  Thanks for your response. I was doing a bit of R&D on SOAP API, tell me if i am wrong.
  In case we use SOAP API to Authenticate then we will get Response in terms of XML and we have to write our own code to render it in tables or charts.
  We dont want that we just want to automate the Authentication part and want to use OBIEE use Interactive Dashboards. Kindly suggest if I am wrong and if we just write a piece of Code to get the Authentication done and it will not affect the further use of OBIEE.
  Regards
  Saurabh

• SSO login time

  Dear Gurus,
  I need your help to solve this problem:
  First: some context:
  Our customer has an EP 6.0 SP11 (by now, soon will be upgrated to SP18) with IISProxy implementing SSO from Windows to Portal.
  So, I did some tests and measures (using HTTPLook tool) and found that the whole page (home page) takes about 12 sec. to load, and from that, 5 sec. belong to login.
  I found this measuring first the time to respond from zero, and later, measuring time to respond after a successful login.
  Now the question:
  ¿Is there some document or how-to in order to decrease the time needed to issuing the ticket in Portal, or some trick to make faster the SSO from IIS?
  The landscape is this:
  User Repository for Portal = SAP BW @ Win2003 server
  User Repository for BW = Microsoft Active Directory
  SSO = IIS 6.0 with IISProxy
  IIS is in the same server than Portal
  Any suggestions will be very much appreciated
  Cheers
  Patricio

  Patricio,
  Have you tuned the network;
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/62fee690-0201-0010-8199-9ad39a3f586c
  There is also enhancing the page performance;
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5132a990-0201-0010-f696-b480bffe1f40
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/22baa590-0201-0010-26a3-f1cfa2469973
  James

• Open document sso in XIR2

  Hello,
  I have query on configuring open document sso in XIR2.
  We could configure open document sso on XIR3.1 from the SAP Notes available ,i.e by configuring Kerberos SSO as a prerequisite & changing web.xml file for open document.
  Do we need to follow the same procedure for XIR2,We could not find any related documents on open document sso.
  We have a Env still in XIR2 which is configured in NTLM.We need to configure open document sso for few clients.Do we need to shift to Kerberos? Can we configure open document sso with IIS?
  Please let us know what are our possibilites?
  Thanks
  Collin

  Hello from Spain!
  i'm trying to configure a system with BOXI 3.1 and SSO with AD Kerberos.
  The system is ok when I open infoview main screen and the user doesn't need to put its credentials. Tha's fine.
  But, when I try to open a report with a openDocument url  the system is asking me by user and password. I need to avoid this behaviour. Is it possible?
  This is the url that I'm using:  http://svdapp02:8080/OpenDocument/opendoc/openDocument.jsp?sType=wid&sDocName=ace002
  I have read something about change the web.xml file but I don't know how becasue I can't see an option in this file for Kerberos (I only see one tag for Vintela)
  Please help
  Thanks in advance

• IIS 6.0 Policyagent not working with AM loadbalancer

  Trying to enable SSO for IIS 6.0 website running on port 80 with Access manager 7.0. AM loadbalancer URL is configured on OracleAS webcache.
  Everything works fine when policyagent is configured with one of the AM servers instead of load balancer URL. But when configured with AM loadbalancer URL a blank page gets displayed after user gives his credentials on the AM authentication page and submits. Below is the error part of log generated at policyagent's end.
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="auth" reqid="0">
  <Request><![CDATA[<?xml version="1.0" encoding="UTF-8"?><AuthContext version="1.0">
  <Request authIdentifier="0"><NewAuthContext orgName="/"/></Request></AuthContext>]]></Request>
  </RequestSet>
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: BaseService::sendRequest Request line: POST /amserver/authservice HTTP/1.0
  2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: BaseService::sendRequest Cookie and Headers =Host: am.xxxx.com
  2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: BaseService::sendRequest Content-Length =Content-Length: 296
  2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: BaseService::sendRequest Header Suffix =Accept: text/xml
  Content-Type: text/xml; charset=UTF-8
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: BaseService::sendRequest(): Total chunks: 9.
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: BaseService::sendRequest(): Sent 9 chunks.
  2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: HTTP Status = 404 (Not Found)
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Http::Response::readAndParse(): Reading headers.
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Content-Type: text/html; charset=iso-8859-1
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Connection: Close
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.0 (N;ecid=1254975795829,0)
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Date: Mon, 21 Apr 2008 13:38:04 GMT
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Http::Response::readAndParse(): Reading body content of length: 73435745963999573
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 all: Connection::waitForReply(): returns with status success.
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Http::Response::readAndParse(): Completed processing the response with status: success
  2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML><HEAD>
  <TITLE>404 Not Found</TITLE>
  </HEAD><BODY>
  <H1>Not Found</H1>
  The requested URL /amserver/authservice was not found on this server.<P>
  <HR>
  <ADDRESS>Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server Server at INTRANET-WC.xxxx.COM Port 7777</ADDRESS>
  </BODY></HTML>
  Any idea why it is looking for /amserver/authservice context on the webcache??
  Thanks

  com.sun.am.cookie.name = iPlanetDirectoryPro
  # If this property is set to true the cookies set by the agent
  # will be marked secure and will only be transmitted if the
  # communications channel with the host is a secure one.
  com.sun.am.cookie.secure = false
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://<Loadbalancerhostname>:7777/amserver/namingservice http://<Loadbalancerhostname>:7777/amserver/namingservice
  com.sun.am.ignore.naming_service = true
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://<Loadbalancerhostname>:7777/amserver/UI/Login http://<Loadbalancerhostname>:7777/amserver/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = D:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.<Protectedserverhostname>.80
  com.sun.am.log.level = all:5
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = lmsagent1
  com.sun.am.policy.am.password = HCuUvbq+uuVQ0LA9cDZUsw==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = D:/Sun/Access_Manager/Agents/2.2/iis6/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://<Protectedserverhostname>:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) a policy entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property determines the amount of time (in minutes) an sso entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.sso.polling.period=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=HTTP_HEADER
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=myuid|my_uid,cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = true
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://<Protectedserverhostname>:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = <Protectedserverhostname>
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = true
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  # The following property is to enable encoding of URL special
  # chars, if any. If set to true agent will encode URL special
  # characters before sending for policy evaluation.
  com.sun.am.policy.agents.config.encode_url_special_chars.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port =
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The following property in milliseconds indicates how long the
  # socket connection needs to be kept open.
  # The default value is 0 which implies no timeout.
  com.sun.am.connect_timeout = 0
  # This property determines the amount of time (in minutes) after which
  # the agent polls whether the primary server is up and running.
  # The default value is 5 minutes
  com.sun.am.poll_primary_server = 5
  # Indicate if the socket option TCP_NODELAY should be enabled.
  # Possible values are true or false. Default is false
  com.sun.am.tcp_nodelay.enable = false
  com.sun.am.policy.agents.config.locale = en_US
  # Set the IIS filter priority. The choices are
  # HIGH - IIS5 filter priority is HIGH.
  # LOW - IIS5 filter priority is LOW.
  # MEDIUM - IIS5 filter priority is MEDIUM.
  # DEFAULT - IIS5 filter priority is DEFAULT.
  com.sun.am.policy.agents.config.iis.filter_priority = HIGH

• Crystal Server 2008 authentication issue

  I have installed Crystal Server 2008 v1 on Windows Server 2008 64 bit, IIS 7 using AD authentication (not SSO).
  IIS has been configured to accept anonymous connections. If I run .net Infoview on the server it is fine, but as soon as I connect from a client I can authenticate and log onto Infoview, but within Infoview I am continually prompted by Windows to authenticate to the server and I cannot run any reports - nothing I put in there works.
  I have been running BOE XI on Server 2003 32 bit without any such issues at all.
  Could comeone pls point me in the right direction
  Thanks
  Garth

  solved issue by activating anonymous authentication on default web site and propogating down to all the web sites under the default site...

• SAP EP calling ASP screen - asking multiple logon prompt from internet

  Hi,
  We have EP page which calls multiple ASP page from the IIS server. When the users are in internet the system prompt for multiple prompt from the IIS server.
  1. May i know to make it as a single logon
  2. is it possible to do SSO between IIS and EP 7.3
  Thanks

  Hi,
  you can use the SSO22KerbMap ISAPI Filter to accomplish you requirement. Please refer to
  Using SAP Logon Tickets for Single Sign on to Microsoft based web applications
  and
  Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets
  for more details.
  Alterantively you can try with SAML (see Single Sign-On with SAML 2.0 - Security and Identity Management - SCN Wiki for more details), but then you should implement SAML Service provider on the IIS/ASP side, since unless I'm mistaken the IIS not provide it by default. Maby this link can be helpful for your: An Open Source ASP.NET SAML2 Service Provider | Passion for Coding
  Best regards,
  Artem

• BOE XI R2 - Configuring RAS with Service user, RAS Fails to start...

  Colleagues:
  Where would kbase article c2018785 be found?
  I am configuring my BOE XI R2 to use End-to-End SSO via IIS using this document from Business Objects:
  Link: [https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/403cdf46-c63e-2b10-2997-978cb8ba59f0]
  In this document, you create a service user under which certain applications run, including the Report Application Server.
  There is a specific note on page 6 in the doc which states:
  The RAS server may fail to start under this new service account. If you experience this issue, follow the steps outlined in the following kbase:
  Link: [http://support.businessobjects.com/library/kbase/articles/c2018785.asp]
  Unfortunately, the link is out of date, and I have not found the article using the existing search tools.
  I did use the -trace argument to the command line to start up the RAS service, and the output is follows:
  Timestamp     ProcessID     ThreadID     Message
  [Thu May 07 13:21:39 2009]     4448     4228     (.ashwin32service.cpp:165): trace message: RAS starting
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2039): CDTSApp::InitInstance(): In CDTSParameters::RUN
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2055): CDTSApp::InitInstance(): Starting server. Process Id=4448
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2062): CDTSApp::InitInstance(): setServerParameters() done
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2130): CDTSApp::InitInstance(): initLicenseLimit() returns 1
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:3895): CDTSApp::loadServerOptions(): about to SaveToRegistryAsDefault
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:3897): CDTSApp::loadServerOptions(): done SaveToRegistryAsDefault hr=-2147024891
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:3916): CDTSApp::loadServerOptions(): error Access is denied.
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2134): CDTSApp::InitInstance(): loadServerOptions() returns 0
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2194): CDTSApp::InitInstance(): getDataEngineName() returns C:TrouxBusiness Objectscommon3.5 incrpe32.dll
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2197): CDTSApp::InitInstance(): openEngine() returns 0
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2292): CDTSApp::InitInstance(): preloadMSXML() done
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: EnCOMSessionMgr::EnCOMSessionMgr begins...
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: EnCOMSessionMgr::EnCOMSessionMgr trying to get Singleton SessionManager.
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: CInfoSessionManager::Initialize start
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: CInfoSessionManager::Initialize, start the cluster refresh thread
  [Thu May 07 13:21:40 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:40.217 4448 4228 (.dtsdts.cpp:2445): CDTSApp::InitInstance(): caught UNKNOWN EXCEPTION!!!
  [Thu May 07 13:21:40 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:40.217 4448 4228 (.dtsdts.cpp:2461): CDTSApp::InitInstance() returns 0
  [Thu May 07 13:21:40 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:40.217 4448 4228 (.dtsdts.cpp:1039): CAgentMapMT::ShutDown - outstanding agents:
  [Thu May 07 13:21:40 2009]     4448     4228     (.ashwin32service.cpp:329): trace message: RAS Exiting: return code = 0
  In the Windows event viewer, this error is echoed:
  Failed to load Report Application Server settings from the system registry.
  Detailed Message: Access is denied.
  It seems my service account needs a certain permission to be able to load and read the registry for this application, and I'm sure this permission is discussed in the missing kbase article. 
  Could you please let me know what permission is required for this user on the OS? This is Win2003 x64 SP2.
  Thanks, and have a good day

  Hi,
  if this a permissions problem then just start +regedit*, go to
  My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects
  select it, press the right mouse button and choose Permissions. Press the advanced button and assign your service account with full control at this point of the registry. Do not forget to select the +Replace Permissions Entries on all child objects ... + option.
  You can also take a look at Notes 1199630 and 1201489 (this one is for CR 10 but it may be worth it to follow the instructions there) ( [https://service.sap.com/notes])
  Regards,
  Stratos

• AD FS - KB3003381 causes redirect loop on login

  Hi,
  I'm using AD FS 2.1 for SSO (2 IIS sites and several WCF services) but my users have been seeing redirect loops when they try to login. Once the user's browser recognises the loop and interrupts it, they are able to either resubmit the request with a page
  refresh (depending on the browser) or navigate to the URL of the site and they are logged in, but this is not a good workaround. We are using SecurEnvoy for 2FA.
  This behaviour started shortly after KB3003381 was applied to the production environment, and I have replicated the behaviour on our staging environment. Removing this patch from the staging environment causes the login mechanism to behave normally.
  From Fiddler, once users have authenticated successfully using SecurEnvoy, they are directed to
  https://<AD FS proxy URL>/adfs/ls/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>
  which results in a 302 redirect to 
  https://<AD FS proxy URL>/adfs/ls/auth/basic/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>
  This should return a 200, but instead returns a 302 redirect to the same URL, until stopped by the browser.

  It seems that you have already asked in another forum: http://serverfault.com/questions/658095/adfs-2-1-redirect-loop-on-login
  Simply remove the installed update and contact Microsoft to report the issue: http://support.microsoft.com/ContactUs
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile