SSO to ITS through WebSEAL gives secure/non-secure messages

Similar Messages

• Secure and Non-secure Items

  Is anyone else getting a "secure"/"non-secure" items warning when iTunes is being launched from a webpage?
  The page with the problem lives on "https://deimos.apple.com". I don't think that I can fix the problem locally, but the warning stops iTunes from launching and some of my users are getting upset.
  It looks like the solution could be a quick fix, the address to the .css file, and some of the images is "http://deimos.apple.com" (NO "S" in the httpS://deimos...).
  How can I report this type of problem? Who do I send the issue to?

  I think this is your web browser warning you that the web page you are view has https and http URLs. Its not directly an iTunes U issue.

• Configure SSO for ITS to R/3 using SNC/Kerberos

  Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now.  We now have a requirement to configure SSO between ITS and R/3.  Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library.  I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name.  That seems to work fine.  From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate.  However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
  I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it.  Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
  =====================================================
  [Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
  [Thr 5284]       PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
  [Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
        gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
  [Thr 5284]   File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
  [Thr 5284]   The internal Adapter for the loaded GSS-API mechanism identifies as:
    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
  [Thr 2888] Sun Jan 15 22:44:59 2006
  [Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  [Thr 2888] Sun Jan 15 22:45:29 2006
  [Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
  =====================================================
  Does anyone know what am I missing?  Any help is greatly appreciated.
  Thank you!
  Diem

  Hi Markus,
  I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation.  I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS).  Does that sound right to you?
  I tried both options for ~extid_type parameter = "LD" and "UN".  I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed".  I increased the trace level for sapextaut.trc but I don't see enough detail information.  Following are the errors/data from the trace file.  Can you please let me know how I can tell what string is being passed for authentication? 
  I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem. 
  To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
  Thank you very much for all your help.
  Diem Tran
  Trace:
  =====================================================
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  437]: W sapextauth: PAS session begins...
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  456]:     sapextauth: SncNameR3 is:    "p:na1adm/[email protected]"
  2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth,  462]:     sapextauth: SncNameAGate is: "p:[email protected]"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  468]:     sapextauth: SNC_LIB is:      "C:\WINNT\system32\gsskrb5.dll"
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  568]:     sapextauth: XGatConnectSession leaving....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth,  993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
  2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth,  398]:     sapextauth: XGatEventOpenSession called...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  616]:     sapextauth: XGatHandleLogin called....
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth,  976]:     sapextauth: Entering XGatHandleLogin with LDAP...
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
  2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
  =======================================================

• Non-secure DDNS security risk?

  We are running a 2008R2 domain. Our DCs are also DHCP/DNS(ADI) servers. The DCs are also member of the DNSUpdateProxy group. We do not have an account being used for passing Dynamic Update credentials.  I read something from Ace Fekay that said
  this is not recommended for DCs, with DNS/DHCP to be in the DNSUpdateProxyGroup, but the DCs are obviously not using DHCP and the security on their records looks fine. 
  We are set to allow both non-secure and secure updates because we have some access points and some HP ILOs(Integrated Lights-Out clients) that are not on the domain and using dhcp. I know that allowing non-secure updates is a huge risk, but
  trying to get details about the risk. We are also set to "Always dynamically update DNS records" & "Dynamically Update DNS records for clients that do not request updates." Almost all of our servers(the main risks we
  care about) are not using DHCP, except for the ILOs.  We are not using NAP.  Here are the questions.
  1.  DNS Spoofing with Windows computer - If someone brings in a windows computer with the same computername as one of our critical servers(obviously it will be off the domain) can it grab an IP address and update the record of the critical server? - I was
  thinking it would detect the naming conflict.
  2. DNS spoofing with Linux computer -  If someone brings in a Linux computer with the same computername as a critical server, can it grab the IP address for a critical server that has a static address?
  I am trying to find some real world scenarios to get approval to switch to "secure-only" updates  The biggest risk from doing that is that we have trouble finding all the DDNS records. Then some expire and we lose connectivity to those resources
  until we get it fixed.  If anyone can throw some realistic disaster scenarios at me, I would appreciate it.
  Thanks,
  Dan Heim

  Hi,
  If you have installed the DHCP service on a domain controller, be absolutely certain not to make that server a member of the DNS Update Proxy group. Doing so would
  give any user or computer full control of the DNS records corresponding to the domain controllers, unless you manually modified the corresponding ACL. Moreover, if a DHCP server that is running on a domain controller is configured to perform dynamic updates
  on behalf of its clients, that DHCP server is able to take ownership of any record, even in the zones that are configured to allow only secure dynamic update. This is because a DHCP server runs under the computer account, so if it is installed on a domain
  controller it has full control over DNS objects stored in the Active Directory.
  For non-windows computers, you can enable name protection.
  For more information please refer to:
  Secure Dynamic Update
  http://technet.microsoft.com/en-us/library/cc961412.aspx
  Configuring Name Protection
  http://technet.microsoft.com/en-us/library/dd759188.aspx
  Hope this helps.

• SSO between ITS 620 R/3 and EP

  Hi,
  I need to use ITS 620 for R/3 4.7 and EP 6.0 for ess/mss implementation
  I have to configure SSO between R/3 and EP.
  Do I also need to configure SSO between ITS and R/3 , ITS and EP also for this?
  If yes can any one tell me the steps in configuring SSO between ITS and R/3, ITS and EP ?
  advance thanks,
  PK

  UPDATE:
  I have installed a portal (SAp netweaver 7.0 Java stack) and have connected it to a ECC6.0 SR3 backend and I needed only to configure the SSO between portal and backend abap instance, and all worked fine. There was no need to configure the SSO between the integrated ITS and abap instance.
  About the error  message mentioned in my previous forum entry:
  I did not only do the steps for SSO between portal and backend as described in the blog "Configuring the Business Package for Employee Self-Service (ESS)", but I also did all the additional steps as mentioned in "10 golden rules of SSO".
  After that the error message "SSO logon not possible; logon tickets not activated on the server" did not appear anymore. (Instead a screen that asks for username and password always appears with the warning "No switch to HTTPS occurred, so it is not secure to send a password". But I think that's ok.)

• User assgined to a group, SSO to ITS is not working

  We had our security group add a ESS-User group.  We imported 500 users and assigned them to that group.  When logging into EP, we are getting access to the correct tabs, but ITS is requiring us to login. 
  But when logging in as a user that is not assigned to this group, the SSo to ITS is working. 
  What setup step are we missing?  Are we supposed to configure something in Visual Administrator.

  Hi Dena,
  A logon trace might provide the cause of the problem. See SAP note 495911 for starting.
  Thanks and regards,
  Dieter

• Secure and non-secure access to the web application in one war

  Say we have one web application (in one war) which includes JSP, servlets and the security intercepter. There is one business requirement to have most of the JSP(s) accessed via HTTPS, but a few JSP(S) accessed via HTTP.
  My questions are:
  a. Is this possible, or a reasonable requirement or a good practice?
  b. if yes, what can we do to make it happen in the security intercepter implementation?
  c. If not, what is the technical reasons?
  Thanks much.

  a) Yes its is reasonable and good practive, there is an overhead using https, so you should only encrypt file you need to. When you use an online store, only account details / payments are https, the shop itself is http
  b) I dont really understand your difficulty. You can define a folder as 'secure' and put all your secure pages in this folder, leaving non secure files in a different folder. Whenever a page in the secure folder is accessed, https is automatically invoked.

• I have an iphone 4 jammed in MDU mode, I conect to itunes and asked to restore, it went through all the steps and nearly completed it gives me an error message saying cannot be restored error -1.  Can anybody help me how to restore my iphone

  I have an iphone 4 started the problem saying no service, then when restarting asked to connect to itunes and became jammed in MDU mode, I connect to itunes and clicked on  restore, it went through all the steps and nearly completed it gives me an error message saying cannot be restored error -1.  Can anybody help me how to restore my iphone.  or what to do next, some reseller asked me to go the shop where I bought to replace it for me as this error cannot be restored by any shop.  It has to be returned to apple and get it replaced.  The warranty already expired and don't know what to do.
  Please help

  Error 1 or -1
  This may indicate a hardware issue with your device. Follow Troubleshooting security software issues, and restore your device on a different known-good computer. If the errors persist on another computer, the device may need service.
  http://support.apple.com/kb/TS3694#error1

• Disabling directory non-secure port

  Hi all.
  Is there in Sun Directory Server 5.1 any way to disable non-secure port in order to bind all the connections through the secure port?
  Thanks in advance.
  Jaime Ferragut
  University of the Balearic Islands

  You could try setting the regular port number to "0". I don't think clients can connect on port 0. Be aware that this may disable your ability to manage the DS through the GUI console.

• Mozilla to phase out non-secure HTTP

  Mozilla has announced its intent to phase out all use of "standard" HTTP, replacing it by the (more-)secure HTTPS.   This involves:
  Setting a date after which all "new" features will be available only to secure websites
  Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy....
  The second element of the plan will need to be driven by trade-offs between security and web compatibility.  Removing features from the non-secure web will likely cause some sites to break.
  https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

  Thank you, thank you, thank you FredMcD!! It was my AVAST anti-virus software. I had the "Web Shield" turned on, so all I did was turn it OFF, so now I can browse on the Internet on any website. When you first install Avast anti-virus, the Web Shield by default is turned on. This really should be turned off as not to freak out new users, especially by those that are not computer savvy. I cannot thank you enough! Take care. :-D

• Security pane in preferences is missing cookies, databases and non-secure forms options?  Also Privacy Pane is totally blank?

  I wanted to delete some cookies.  But when I went to the Security Pane in Safari Preferences, it does not show any of the following categories/settings option:  nothing for cookes (nothing for accept or show or anything else about cookies), nothing for databases, and nothing for non-secure forms.  No controls for these are showing in the Security pane.  Also, the Privacy Pane in Safari preferenes is totally blank--I can't set anything on that.  Where are these controls/settings options, why can't I see them?  I am using OSX 10.6.8 and Safari Version 5.1.9, I have a Mac Book Pro 3.06 Intel. Thanks. 

  Uninstall SIMBL as follows. Back up all data before making any changes.
  Triple-click the line below to select it, then copy the text to the Clipboard (command-C):
  /Library
  In the Finder, select
  Go ▹ Go to Folder...
  from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. From that folder, delete the items listed below (some may be absent.) You may be prompted for your administrator login password.
  Application Support/SIMBL
  InputManagers/SIMBL.bundle
  LaunchAgents/net.culater.SIMBL.Agent.plist
  ScriptingAdditions/SIMBL.osax
  Log out and log back in.
  Make sure you never reinstall SIMBL. It’s likely to come bundled with another third-party system modfication that depends on it. If you want trouble-free computing, avoid software that makes miraculous changes to other software, especially built-in applications. The only real exception to that rule is Safari extensions, which are mostly safe, and are easy to get rid of when they don’t work. SIMBL and its dependents are not Safari extensions.

• Changing a non secure site to secure  site for downloading

  I went to download a program and accidently clicked that the site was non secure. The site / program is secure and I want to download it but everytime I click back into the page there is a "X" in the top left hand corner. How can I can change this back so I can download the program?

  I am wondering if you have solved your connect issues at this point, because my iPhone 5 with IOS 6 has a very similar issue.  In my case, on some non-secure public Wi-Fi Networks, my iPhone will eventually connect, but it may take 15 minutes or more.  It is like the initial hand-shaking is failing and retrying enough times that it eventually goes through. 

• Non-secure login for 5.0 ip services

  How do I change to non-secure login on phones for ip services in 5.0?
  Thanks,
  Andy

  This gives you access to all your subscribed services without logging in every time. Keep in mind that anyone can access your information if your login mode is set to non-secure.
  you need to use the SCCP Phone Security Profile in Callmanager 5.0
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a0080645855.html

• Ajax Login both secure and non secure url

  Does anyone know if there is a way to use ajax to log a user in for both the non secure and secure url. Normally if you're submitting a log in form over the secure url with the non secure url in the referrer parameter it will log you in on both domains but not via ajax. Anyone have a good work around?

  Here’s the code I’ve used…
  {% if Settings.Site_Live -%}
  {% assign redirectHTTP = "" -%}
  {% assign redirectDOMAIN = Settings.Site_URL -%}
  {% assign redirectEXTEND = "" -%}
  {% else -%}
  {% assign redirectHTTP = "http%3a%2f%2f" -%}
  {% assign redirectDOMAIN = Settings.System_Name -%}
  {% assign redirectEXTEND = ".fueldesign.co.nz" -%}
  {% endif -%}
  {% capture redirectURL -%}{{redirectHTTP}}{{redirectDOMAIN}}{{redirectEXTEND}}{% endcapture -%}
  <form class="form--box escapeWorldSecureSystems" method="post" action="https://{{Settings.System_Name}}.worldsecuresystems.com/ZoneProcess.aspx?ZoneID=51&amp;Referrer={{ redirectURL}}&amp;OID=&amp;OTYPE=" data-parsley-validate>
  Note: I have a Settings collection that has a lot of data from a Settings web app that controls a lot of settings for the website, such as “Site_Live” checkbox etc. this allows my sign-ins to be generic and editable site to site.
  And here’s the development URL where I’m working on this. (don’t just my site during development stage lol)
  http://astrolift.fueldesign.co.nz/ <http://astrolift.fueldesign.co.nz/>
  username: dev
  password: dev123
  Hopt this gives you some inspiration.
  Let us know if you get the ajax working.
  Cheers guys

• Message "this site has sent a non-secure certifica...

  I use MFE 2.53 to synchronise on Nokia E61 / 61i.
  Each time a receive an email i have to validate this message "this site has sent a non-secure certificate" in MFE.
  Is there a problem on my Exchange server configuration ( certificate ..) or on the mobile configuration ?

  So the certificate installed correctly (meaning you got prompted for the uses and now and you can see it on the list of certificates in the Security settings)? Can't give exact instructions to find this since it depends on device.
  When you say "it's not ok", what do you mean? What is the new behavior since you installed the certificate?