SSO using Kerberso receiving "Integrity check on decrypted field failed (31

Similar Messages

• Kerberos Authentication: "Integrity check on decrypted field failed"

  Hi,
  I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
  Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
  The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
  Has anyone else had this error & what causes it?
  Many thanks in advance.
  Regards
  Jane
  Full error text:
  JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
  JGSS_DBG_CRED getCred: only one cred, returning it
  JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
  JGSS_DBG_CRED Krb5 name type = 0
  JGSS_DBG_CTX Creating context, cred usage = 2
  GSS Context created
  JGSS_DBG_UNMARSH Real token len 1641
  JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
  JGSS_DBG_UNMARSH inner token len 1630
  JGSS_DBG_PROV getFactory: index = 0 found factory
  JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
  JGSS_DBG_PROV 1.2.840.113554.1.2.2
  JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
  JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
  JGSS_DBG_CTX Default list of negotiable mechs:
  1.2.840.113554.1.2.2
  JGSS_DBG_CTX ticket enc type = des-cbc-md5
  com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
  at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
  at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
  at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
  at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:215)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  JGSS_DBG_CTX Error authenticating request. Reporting to client
  Major code = 11, Minor code = 31
  org.ietf.jgss.GSSException, major code: 11, minor code: 31
  major string: General failure, unspecified at GSSAPI level
  minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed

  Hi Désirée,
  Yes the service user has "Use DES encryption" set.
  In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
  Regards
  Jane

• Jaas & Integrity check on decrypted field failed

  I'm trying to do Kerberos authentication using JAAS and the jdk 1.4.1_02 under Mandrake 9.1. The Kerberos server is installed on a Redhat 9 machine. I'm using the login module com.sun.security.auth.module.Krb5LoginModule and the TextCallbackHandler class. The login fails with the error "Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed". I get the same error if I use the kinit utility bundled with the jdk. Conversely all seems ok when I use the kinit utility bundled with the kerberos client programs of my Mandrake 9.1 distribution.
  Anyone could help me?
  Michele

  I encountered the same problem--"Integrity check on decrypted field failed (31)" when trying to authenticate against a KDC (v5) running RedHat 8.0 (JASS and JDK 1.4.1_02)--but I was able to use Kerberized telnet and login from remote/local machines to get authenticated with this RedHat KDC. There is no problem authenticating against a KDC running Win2k AD/Kerberos with the same code. I am using the com.sun.security.auth.module.Krb5LoginModule.
  Can anyone help me to resolve this issure?

• Error from sample JAAS: Integrity check on decrypted field failed (31)

  I am trying to follow the tutorial for JAAS Authentication located here:
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html
  I am trying to run the sample JaasAcn.java but am getting a strange error when I try to log on to my Active Directory.
  I am using Java version: jre1.6.0_03
  I can login to Active Directory fine with the credentials I am providing, just not with this client, so I know the credentials are valid.
  What could this mean?
  The Error message is: [Krb5LoginModule] authentication failed
  Integrity check on decrypted field failed (31)
  Here is the full output:
  C:\Progra~1\Java\jre1.6.0_03\bin\java -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=PRSDev.local -Djava.security.krb5.kdc=192.168.40.72 -Djava.security.auth.login.config=jaas.conf JaasAcn
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
  lse principal is null tryFirstPass is false useFirstPass is false storePass is f
  alse clearPass is false
  Kerberos username [ILea]: sra
  Kerberos password for sra:
  [Krb5LoginModule] user entered username: sra
  Using builtin default etypes for default_tkt_enctypes
  default etypes for default_tkt_enctypes: 3 1 23 16 17.
  Acquire TGT using AS Exchange
  Using builtin default etypes for default_tkt_enctypes
  default etypes for default_tkt_enctypes: 3 1 23 16 17.
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number of retries =3, #bytes=144
  KDCCommunication: kdc=192.168.40.72 UDP:88, timeout=30000,Attempt =1, #bytes=144
  KrbKdcReq send: #bytes read=587
  KrbKdcReq send: #bytes read=587
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType[Krb5LoginModule] authentication failed
  Integrity check on decrypted field failed (31)
  Authentication failed:
  Integrity check on decrypted field failed (31)

  FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
  Once that change was made authentication passed
  Edited by: IDL on Jan 2, 2008 9:25 AM

• Z61t - Integrity check for code area failed system halted

  Saw the post for the T series which recommended to downgrade bios to 2.23.
  Having this issue with the Z61ts since January 4, 2010.
  -Docked and undocked
  -With and without the network cable plugged in
  -With and without peripherals plugged in
  -Bios 2.26 and 2.27,
  -SafeGuard Easy 4.3 and 4.5.2. 
  In some cases restoring the SafeguardEasy Kernel fixes the issue.  In some cases the error reappears and either the kernel needs to be restored again, or the PC can just be rebooted. One case had 2 kernel restores, a reimage and a kernel restore.

  ^ Same problem here.
  How long it takes to create new fixed Bios-software.?
  Moderator edit: Thinly disguised profanity removed. Please stick to the Community Rules.

• Regd. error in sender agreement(when to check sender uses virtual receiver)

  hi Experts,
  I  am doing a file(  SFTP adapter ) to IDOC scenario.
  I got an error :
  Couldn't retrieve inbound binding for the given P/S/A values:FP=XYZ;TP=;FS=XXXX;TS=XXXX;AN=XXXXXX;ANS=;
  I checked my sender agreement  and saw some "*" symbol displayed at the end on SA name.
  To quick fix it and remove the star symbol'', i have just created SAgreement  again and this time i checked "Sender uses virtual receiver " and revomved thestar symbol '' and saved without mentioning anything there.
  When i tested it worked!  but i want to know what made it work, is it the right practice.
  i did a lilttle search on when to use  "sender uses virtual receiver" option.i came to an understanding that it is mainly used to handle multiple input file formats in a single configuration scenario.
  one more qns:
  What are marketplace adapters,is this error comes when we use adapters which are not inbuilt or bought from external vender.
  Regards,
  Anika
  Edited by: Anika Gulati on Jun 10, 2009 1:23 PM

  Here are few ways for it...
  SAP Process Integration: When to Use u201CSender Uses Virtual Receiveru201D in a Sender Agreement
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40cb67f7-6464-2b10-bcb9-8edb9a3569f9
  SAP Network Blog: Virtual Receiver - Why do you 'really' need it?
  /people/shabarish.vijayakumar/blog/2008/09/16/virtual-receiver--why-do-you-really-need-it
  -SM

• Getting "IPSEC(epa_des_crypt): decrypted packet failed SA identity check" messages on packets from only one of two far-end sources sharing the same tunnel, the other source works fine. What exactly does this error mean?

  One computer at COMPANY-A is attempting to communicate with two
  computers located at COMPANY-B, via an IPsec tunnel between the
  two companies.
  All communications are via TCP protocol.
  All devices present public IP addresses to one another, although they
  may have RFC 1918 addresses on other interfaces, and NAT may be in use
  on the COMPANY-B side.  (NAT is not being used on the COMPANY-A side.)
  The players:(Note: first three octets have been changed for security reasons)
  COMPANY-A computer      1.2.3.161
  COMPANY-A router        1.2.3.8 (also IPsec peer)
  COMPANY-A has 1.2.3.0/24 with no subnetting.
  COMPANY-B router        4.5.6.228 (also IPsec peer)
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  COMPANY-B has 4.5.6.0/23 subnetted in various ways.
  COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
  What works:
  The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
  tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
  The "show crypto session detail" command shows Inbound/Outbound packets
  flowing in the dec'ed and enc'ed positions.
  What doesn't:
  When the COMPANY-A computer 1.2.3.161 attempts to communicate
  via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
  the COMPANY-A router eventually reports five of these messages:
  Oct  9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  and the "show crypto session detail" shows inbound packets being dropped.
  The COMPANY-A computer that opens the TCP connection never gets past the
  SYN_SENT phase of the TCP connection whan trying to communicate with the
  COMPANY-B computer #2, and the repeated error messages are the retries of
  the SYN packet.
  On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
  a 3725, and some 76xx routers were tried, all with similar behavior,
  with packets from one far-end computer passing fine, and packets from
  another far-end computer in the same netblock passing through the same
  IPsec tunnel failing with the "failed SA identity" error.
  The COMPANY-A computer directs all packets headed to COMPANY-B via the
  COMPANY-A router at 1.2.3.8 with this set of route settings:
  netstat -r -n
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
  4.5.7.0         1.2.3.8         255.255.255.0   UG        0 0          0 eth3
  1.2.3.8.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
  10.1.0.0        0.0.0.0         255.255.240.0   U         0 0          0 eth0
  169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
  10.0.0.0        10.1.1.1        255.0.0.0       UG        0 0          0 eth0
  0.0.0.0         1.2.3.1         0.0.0.0         UG        0 0          0 eth3
  The first route line shown is selected for access to both COMPANY-B computers.
  The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
  configuration:
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
  crypto map COMPANY-BMAP1 10 ipsec-isakmp
  description COMPANY-B VPN
  set peer 4.5.6.228
  set transform-set COMPANY-B01
  set pfs group2
  match address 190
  interface FastEthernet0/0
  ip address 1.2.3.8 255.255.255.0
  no ip redirects
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map COMPANY-BMAP1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 1.2.3.1
  ip route 10.0.0.0 255.0.0.0 10.1.1.1
  ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
  access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
  access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
  bridge 1 protocol ieee
  One of the routers tried had this IOS/hardware configuration:
  Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
  RELEASE SOFTWARE (fc2)
  isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
  Processor board ID XXXXXXXXXXXXXXX
  R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
  2 FastEthernet interfaces
  4 ATM interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of NVRAM.
  31296K bytes of ATA System CompactFlash (Read/Write)
  250368K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102
  #show crypto sess
  Crypto session current status
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:06:26:27
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
          Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
  Version 6.1 (ScreenOS)
  We only have a limited view into the Juniper device configuration.
  What we were allowed to see was:
  COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
  set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
  set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx  proposal "pre-g2-3des-sha"
  set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
  set policy id 2539 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
  set policy id 2500 from "Trust" to "Untrust"  "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
  set policy id 2541 from "Trust" to "Untrust"  "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
  set policy id 2540 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
  COMPANY-B-ROUTER(M)->
  I suspect that this curious issue is due to a configuration setting on the
  Juniper device, but neither party has seen this error before.  COMPANY-B
  operates thousands of IPsec VPNs and they report that this is a new error
  for them too.  The behavior that allows traffic from one IP address to
  work and traffic from another to end up getting this error is also unique.
  As only the Cisco side emits any error message at all, this is the only
  clue we have as to what is going on, even if this isn't actually an IOS
  problem.
  What we are looking for is a description of exactly what the Cisco
  IOS error message:
  IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  is complaining about, and if there are any known causes of the behavior
  described that occur when running IPsec between Cisco IOS and a Juniper
  SSG device.  Google reports many other incidents of the same error
  message (but not the "I like that IP address but hate this one" behavior),
  and not just with a Juniper device on the COMPANY-B end, but for those cases,
  not one was found where the solution was described.
  It is hoped that with a better explanation of the error message
  and any known issues with Juniper configuration settings causing
  this error, we can have COMPANY-B make adjustments to their device.
  Or, if there is a setting change needed on the COMPANY-A router,
  that can also be implemented.
  Thanks in advance for your time in reading this, and any ideas.

  Hello Harish,
  It is believed that:
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  both have at least two network interfaces, one with a public IP address
  (which we are supposedly conversing with) and one with a RFC 1918 type
  address.   COMPANY-B is reluctant to disclose details of their network or
  servers setup, so this is not 100% certain.
  Because of that uncertainty, it occurred to me that perhaps COMPANY-B
  computer #2 might be incorrectly routing via the RFC 1918 interface.
  In theory, such packets should have been blocked by the access-list on both
  COMPANY-A router, and should not have even made it into the IPsec VPN
  if the Juniper access settings work as it appears they should.  So I turned up
  debugging on COMPANY-A router so that I could see the encrypted and
  decrypted packet hex dumps.
  I then hand-disassembled the decoded ACK packet IP header received just
  prior to the "decrypted packet failed SA check" error being emitted and
  found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
  in the unecapsulated packet.  I also found the expected port numbers of the TCP
  conversation that was trying to be established in the TCP header.  So, it
  looks like COMPANY-B computer #2 is emitting the packets out the right
  interface.
  The IP packet header of the encrypted packet showed the IP addresses of the
  two routers at each terminus of the IPsec VPN, but since I don't know what triggers
  the "SA check" error message or what it is complaining about, I don't know what
  other clues to look for in the packet dumps.
  As to your second question, "can you check whether both encapsulation and
  decapsulation happening in 'show crypto ipsec sa'",   the enc'ed/dec'ed
  counters were both going up by the correct quantities.  When communicating
  with the uncooperative COMPANY-B computer #2, you would also see the
  received Drop increment for each packet decrypted.  When communicating
  with the working COMPANY-B computer #1, the Drop counters would not
  increment, and the enc'ed/dec'ed would both increment.
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:54
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
          Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
  Attempt a TCP communication to COMPANY-B computer #2...
  show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:23
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
          Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
  Note Inbound "drop" changed from 5 to 6.  (I didn't let it sit for all
  the retries.)
  #show crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
     current_peer 4.5.6.228 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
      #pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 3, #recv errors 6
       local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0xDF2CC59C(3744253340)
    inbound esp sas:
        spi: 0xD9D2EBBB(3654478779)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xDF2CC59C(3744253340)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:
  The "send" errors appear to be related to the tunnel reverting to a
  DOWN state after periods of inactivity, and you appear to get one
  each time the tunnel has to be re-negotiated and returned to
  an ACTIVE state.  There is no relationship between Send errors
  incrementing and working/non-working TCP conversations to the
  two COMPANY-B servers.
  Thanks for pondering this very odd behavior.

• HTTPS communication using HTTP receiver adapter URL address as Address Type

  Hi All,
  If some one who has tried HTTPS communication using HTTP receiver adapter using URL address as Address type can you please guide me what are the steps need to be done.
  Note : Address type is a parameter in HTTP adapter setup .
  Regards,
  Reddy

  Hi,
  Check this,
  Configurations in Integration Directory
  The plain HTTP adapter gives the receiver system the following specifications:
  — Specifications for addressing using a URL address:
  Target host, service number, and path prefix including query string:
  http://<hostname:port>/<path>?<query-string>
  You can identify the target host (HTTP port) of a SAP Web Application Server using
  the
  ICM monitor
  Host and port of the HTTP proxy (optional if there is a firewall between the plain
  HTTP adapter and the receiver system)
  Authentication data for the receiver system.
  See also: transaction Display and Maintain RFC Destinations (SM59).
  &#151; Specifications for addressing using an HTTP destination:
  HTTP destination
  &#151; Parameters from the communication channel for technical routing
  Content type (the entry text/XML is expected as default)
  Specifies the format that the message contents (the payload) should have.
  Optional header fields for the receiver-specific protocol
  Attributes for the query string
  1. Sender party
  2. Sender service
  3. Receiver Interface
  4. Message ID
  5. Quality of service
  6. Queue ID
  All attributes are selected except for the queue ID. If you do not want a value to be
  transferred to the receiver, deselect it. The queue ID is only required if the quality of
  service is EOIO.
  Specifications for payload manipulation
  XML code (default UFT-8)
  Specifies the character set.
  URL escaping
  Presents the XML in a URL-enabled format. Special characters that could be
  interpreted as control characters are replaced with escape characters (masked).
  Prolog
  Enhances the payload for particular servers (optional, see below).
  Epilog
  Enhances the payload for particular servers (optional, see below).
  Enhancing the Payload
  Regards
  Seshagiri

• SBO - Integrity Check

  Hi,
  I have created some user defined tables and their respective menus to activate the tables i.e. when the user clicks on the user defined menus, the corresponding user defined tables will open.
  Now I want to perform an integrity check before the user deletes a record. I have tried to catch the form id in the menu event when the user selects ‘Remove’ menu but the form id changes every time.
  Moreover when I am using the form ids generated by the System Information that are linked to the user defined tables, I am unable to activate the tables using my user defined menus.
  I have also tried to disable the ‘Remove’ menu so as to create my own menu to perform the delete operation but the system does not allow me to do so and I am receiving the following error message:
  “Form - Operation is not supported on system form, [66000-30].”
  Is there a way to perform a check in the user defined tables before a row is removed from the tables?
  Thanks

  Hi,
  I think you could find out which table the user wants to manipulate through the DBDataSource behind the form.
  BTW: If B1 displays a form it uses the prefix "F_" and then increments the number during a session... Form Type is fixed, but that's not enough for your purposes...
  >Moreover when I am using the form ids generated by the System Information that
  >are linked to the user defined tables, I am unable to activate the tables using my
  >user defined menus.
  Sorry, I am not sure I understand. Could you post some code?
  ...you can suppress the action B1 would perform by setting BubbleEvent = False when BeforeAction = True...
  HTH

• HOWTO: Create a Boot Configuration That Has No Driver Signature Checks. Disable Driver Integrity Checks and Install a Custom Non-Signed Driver

  Hello,
  Recently, I had a task where I needed to install a custom non-signed driver onto my Windows 8 64-bit setup. As it is known, Windows has driver enforcement policies that, as a security measure, do not allow you to install non-signed drivers.
  I did not want to alter my current boot configuration so I decided to create a separate boot entry that would have driver signing policies disabled. For some reason I did not find any good source that would contain a step-by-step instruction on completing
  this task, so I decided that I'd better share my experience here.
  Lastly, there are multiple ways how you could turn off driver enforcement policies, but I find the way to do this via boot manager.
  Here's how you can do that.
  1. Press WindowsKey and type 'cmd' (without quotes) to find Command prompt, then click Command prompt icon. If you have User Account Control turned on, hold Ctrl+Shift keys pressed when clicking the icon.
  This will force Windows to ask you for elevation of command prompt. Elevation is necessary for editing Boot Configuration Database (BCD), the database used by Windows boot manager to store boot settings.
  2. In the User Account Control window click Yes to confirm elevation of command shell.
  3. At the command prompt type
  bcdedit
  to list your BCD entries.
  This will give you an output like:
  Windows Boot Manager
  identifier {bootmgr}
  device partition=\Device\HarddiskVolume2
  path \EFI\Microsoft\Boot\bootmgfw.efi
  description Windows Boot Manager
  locale en-US
  inherit {globalsettings}
  integrityservices Enable
  default {current}
  resumeobject {a329b5cf-fb29-11e1-a74d-f2c962d62240}
  displayorder {a329b5d0-fb29-11e1-a74d-f2c962d62240}
  {a329b5cc-fb29-11e1-a74d-f2c962d62240}
  {a329b5ca-fb29-11e1-a74d-f2c962d62240}
  {a329b5c2-fb29-11e1-a74d-f2c962d62240}
  {current}
  {a329b5d8-fb29-11e1-a74d-f2c962d62240}
  toolsdisplayorder {memdiag}
  timeout 30
  Windows Boot Loader
  identifier {a329b5d0-fb29-11e1-a74d-f2c962d62240}
  device vhd=[D:]\win8prowmc01.vhdx
  path \Windows\system32\winload.efi
  description Windows 8
  locale en-US
  inherit {bootloadersettings}
  recoverysequence {a329b5d1-fb29-11e1-a74d-f2c962d62240}
  recoveryenabled Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8prowmc01.vhdx
  systemroot \Windows
  resumeobject {a329b5cf-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  The section that starts with Windows Boot Manager lists current settings for the boot menu. Here you find what boot entry is chosen by default, this is the one what you will boot into if you do not select any boot entry in the
  boot menu.
  The following record
  default {current}
  indicates that by default my Windows boots into configuration which I use at the moment (currently booted Windows configuration).
  To find out what exactly is current configuration, look into the list of boot entries, records that contain boot loader configuration and are titled as Windows Boot Loader in the bcdedit output.
  For example, the entry shown above is one of my boot configurations. This is one of the boot entries listed on the boot manager screen when I start my PC and it looks like:
  Windows Boot Loader
  identifier {a329b5d0-fb29-11e1-a74d-f2c962d62240}
  device vhd=[D:]\win8prowmc01.vhdx
  path \Windows\system32\winload.efi
  description Windows 8
  locale en-US
  inherit {bootloadersettings}
  recoverysequence {a329b5d1-fb29-11e1-a74d-f2c962d62240}
  recoveryenabled Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8prowmc01.vhdx
  systemroot \Windows
  resumeobject {a329b5cf-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  This record has a unique GUID identifier that can be used to reference this boot entry, which is:
  identifier {a329b5d0-fb29-11e1-a74d-f2c962d62240}
  If we look at the Windows Boot Manager settings, we'll see this entry is the first in order to be displayed in the boot menu on OS start (I marked the unique bits):
  displayorder {a329b5d0-fb29-11e1-a74d-f2c962d62240}
  {a329b5cc-fb29-11e1-a74d-f2c962d62240}
  It references my VHD drive, a virtual hard drive where my Windwos 8 setup is residing:
  device vhd=[D:]\win8prowmc01.vhdx
  And it also specifies that the boot manager must use UEFI BIOS extension code to access my Windows boot partition:
  path \EFI\Microsoft\Boot\bootmgfw.efi
  3. Now locate the current boot entry.
  Current boot entry contains boot settings used to boot into Windows configuration to which you are currently booted. It is referenced in the list of boot entries as a Windows Boot Loader record that has the {current} keyword inside and may
  look like:
  Windows Boot Loader
  identifier {current}
  device vhd=[D:]\win8rtm.vhdx
  path \Windows\system32\winload.efi
  description Windows 8 Enterprise RTM
  locale en-US
  inherit {bootloadersettings}
  recoverysequence {a329b5c3-fb29-11e1-a74d-f2c962d62240}
  integrityservices Enable
  recoveryenabled Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8rtm.vhdx
  systemroot \Windows
  resumeobject {a329b5c1-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  hypervisorlaunchtype Auto
  Because we are more than happy with current configuration and want to base our new boot configuration on these settings, we need to copy this boot entry ({current}) to a new boot entry.
  This is done by running the following command:
  C:\Windows\system32>bcdedit /copy {current} /d "No Driver Signature Check"
  Parameter /d here indicates that the following sequence of characters specifies the display name for the new boot entry that we are creating. The name inside the double quotes will be displayed in the boot menu when you boot your Windows.
  In other words, if you know restart your system, you'll see the new No Driver Signature Check in the boot menu.
  When copied, the entry is automatically given a new GUID identifier, so upon running the command above, you'll see the following line returned (you'll have an other GUID since these are unique identifiers):
  The entry was successfully copied to {a329b5d8-fb29-11e1-a74d-f2c962d62240}.
  4. Make sure the entry has been successfully created.
  Run the same bcdedit. (You may specify /enum or /v, or both /enum /v parameters at the prompt to get more detail about boot entries, but simple bcdedit is just enough to see the new entry):
  C:\Windows\system32>bcdedit
  Windows Boot Manager
  identifier {bootmgr}
  device partition=\Device\HarddiskVolume2
  path \EFI\Microsoft\Boot\bootmgfw.efi
  description Windows Boot Manager
  locale en-US
  inherit {globalsettings}
  integrityservices Enable
  default {current}
  resumeobject {a329b5cf-fb29-11e1-a74d-f2c962d62240}
  displayorder {a329b5d0-fb29-11e1-a74d-f2c962d62240}
  {a329b5cc-fb29-11e1-a74d-f2c962d62240}
  {a329b5ca-fb29-11e1-a74d-f2c962d62240}
  {a329b5c2-fb29-11e1-a74d-f2c962d62240}
  {current}
  {a329b5d8-fb29-11e1-a74d-f2c962d62240}
  toolsdisplayorder {memdiag}
  timeout 30
  Windows Boot Loader
  identifier {current}
  device vhd=[D:]\win8rtm.vhdx
  path \Windows\system32\winload.efi
  description Windows 8 Enterprise RTM
  locale en-US
  inherit {bootloadersettings}
  recoverysequence {a329b5c3-fb29-11e1-a74d-f2c962d62240}
  integrityservices Enable
  recoveryenabled Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8rtm.vhdx
  systemroot \Windows
  resumeobject {a329b5c1-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  hypervisorlaunchtype Auto
  Windows Boot Loader
  identifier {a329b5d8-fb29-11e1-a74d-f2c962d62240}
  device vhd=[D:]\win8rtm.vhdx
  path \Windows\system32\winload.efi
  description No Driver Signature Check
  locale en-US
  inherit {bootloadersettings}
  recoverysequence {a329b5c3-fb29-11e1-a74d-f2c962d62240}
  integrityservices Enable
  recoveryenabled Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8rtm.vhdx
  systemroot \Windows
  resumeobject {a329b5c1-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  hypervisorlaunchtype Auto
  The entry has been created and given a unique a329b5d8-fb29-11e1-a74d-f2c962d62240 ID. It now has exactly same boot settings as the boot entry we used to boot into current configuration of Windows.
  5. Modify created  No Driver Signature Check entry and specify that Windows must have driver integrity checks disabled when booted using this boot entry.
  Any modifications to boot entries are made using /set parameter. To indicate that we modify a specific boot entry, we must specify the GUID for the No Driver Signature Check record, which is:
  identifier {a329b5d8-fb29-11e1-a74d-f2c962d62240}
  In other words, to edit (add or change) an option for the boot entry, we need to use the following command syntax:
  C:\Windows\system32>bcdedit /set GUID <boot_option> [<option_value>]
  First, we must specify that we don't want integrity checks be made. This is done by adding the loadoptions option and setting it to DISABLE_INTEGRITY_CHECKS value:
  C:\Windows\system32>bcdedit /set {a329b5d8-fb29-11e1-a74d-f2c962d62240} loadopti
  ons DISABLE_INTEGRITY_CHECKS
  The operation completed successfully.
  6. Verify that load option has been added.
  Run the bcdedit command:
  Windows Boot Loader
  identifier {current}
  device vhd=[D:]\win8rtm.vhdx
  path \Windows\system32\winload.efi
  description Windows 8 Enterprise RTM
  locale en-US
  inherit {bootloadersettings}
  recoverysequence {a329b5c3-fb29-11e1-a74d-f2c962d62240}
  integrityservices Enable
  recoveryenabled Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8rtm.vhdx
  systemroot \Windows
  resumeobject {a329b5c1-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  hypervisorlaunchtype Auto
  Windows Boot Loader
  identifier {a329b5d8-fb29-11e1-a74d-f2c962d62240}
  device vhd=[D:]\win8rtm.vhdx
  path \Windows\system32\winload.efi
  description No Driver Signature Check
  locale en-US
  loadoptions DISABLE_INTEGRITY_CHECKS
  inherit {bootloadersettings}
  recoverysequence {a329b5c3-fb29-11e1-a74d-f2c962d62240}
  integrityservices Enable
  recoveryenabled Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8rtm.vhdx
  systemroot \Windows
  resumeobject {a329b5c1-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  hypervisorlaunchtype Auto
  7. Add the option that turns on test signing mode and disables checks of driver signature.
  Adding the testsigning option and setting it to ON does the trick for us:
  C:\Windows\system32>bcdedit /set {a329b5d8-fb29-11e1-a74d-f2c962d62240} TESTSIGNING ON
  8. Now we have a boot entry that enables Windows not to do integrity checks and digital signature validation.
  We check it by running bcdedit:
  Windows Boot Loader
  identifier {a329b5d8-fb29-11e1-a74d-f2c962d62240}
  device vhd=[D:]\win8rtm.vhdx
  path \Windows\system32\winload.efi
  description No Driver Signature Check
  locale en-US
  loadoptions DISABLE_INTEGRITY_CHECKS
  inherit {bootloadersettings}
  recoverysequence {a329b5c3-fb29-11e1-a74d-f2c962d62240}
  integrityservices Enable
  recoveryenabled Yes
  testsigning Yes
  isolatedcontext Yes
  allowedinmemorysettings 0x15000075
  osdevice vhd=[D:]\win8rtm.vhdx
  systemroot \Windows
  resumeobject {a329b5c1-fb29-11e1-a74d-f2c962d62240}
  nx OptIn
  bootmenupolicy Standard
  hypervisorlaunchtype Auto
  9. Type 'exit' without quotes to exit from command prompt, and restart Windows.
  Upon booting you will be present with a new boot option to start Windows in configuration that allows you to install custom non-signed drivers.
  Hope this will help anybody to create their own custom boot configurations.
  Well this is the world we live in And these are the hands we're given...

  Hi,
  Thank you for sharing the solutions & experience here. It will be very beneficial for other community members who have similar questions. 
  Regards,
  Kelvin hsu
  TechNet Community Support

• Use of foreign key check in ABAP reports

  Hi,
  I'm trying to understand if it's possible to use a foreign key integrity check in an ABAP reports. I have understood that this kind of check is deactivated for performance reasons, is it right?
  In this case I'd like to know if it is possible to activate the foreign key check "on demand", or just for a particular table.
  As an example, I'd like to use the foreign key defined on attribute AKONT of table KNB1, that points on the related attribute of table SKB1.
  Thanks,
  Gabriele

  Welcome on SCN!
  I'm trying to understand if it's possible to use a foreign key integrity check in an ABAP reports. I have understood that this kind of check is deactivated for performance reasons, is it right?
  Most likely yes. Integrity is turned OFF for Open SQL statements but is turned ON for screen fields.
  If you just create screen parameter like
  parameters pa_akont type knb1-akont.
  ...then input help for that field will be automatically provided. This means that you will not be able to pick or enter value different that this allowed from SKB1 table (foreign key relationship will be checked).
  You can explicitly assign different input help or search help for certain screen field independently of type it is refering i.e by means of fm F4IF_FIELD_VALUE_REQUEST .
  This however still relates only to screen fields, not fields used directly in ABAP statement.
  Regards
  Marcin

• Error while installing Adobe Reader "Did not pass integrity check"

  When the download manager gets to about 80% this error pops up every time, I have tried clearing the temporary files, restarting my computer donwloading an older version but nothing works.
  The entire message says:
  "Adobe Reader":
  "Adobe Reader":
  The Download did not pass the integrity check (16291.304.428)
  I have windows 7, 32 bit. Help please!

  Don't use the download manager; download the installer directly from http://ardownload.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/AdbeRdr1000_en_US.exe (English version 10.0 for Windows).
  Use this link if you need another version http://get.adobe.com/reader/enterprise/

• Problem in configuring SSO using SAML for applications hosted on diff m/c

  Hi Techies,
  I am stuck in a weird problem for past month or so without any resolution. Not much help by googling. So I hope i get the answer from the mouth of the horses -
  I am trying to use SSO using the sample application appA and appB as stated in the tutorial of SSO by BEA.
  I am summarizing the problem below -
  Steps followed for Configuring SSO using SAML
  1. Created 2 domains on 2 seperate machines namely domainA and domainB
  2. Source appliction is deployed on domainA and the target application is deployed on domaninB
  The steps mentioned in the following tutorial has been followed-
  http://dev2dev.bea.com/pub/a/2006/12/sso-with-saml.html
  3. As mentioned in the tutorial the certificate is generated using keytool utility. The same certificate is copied
  to WEBLOGIC_HOME/server/lib of destination machine.
  4. The certificate was successfully registered on desitnation or host 2 but while activating the configuration
  changes(SSL client Ientity Alias and SSL Client Identity Pass Phrase) for Federation services the following error
  is thrown -
  " SAMLBeanUpdateListener: SAMLKeyManager.prepareUpdate() failed with exception:
  weblogic.descriptor.BeanUpdateRejectedException: SAML key Manage failed to validate key (SSL Client) configuration
  in the FederationServicesMBean, key alias: testalias "
  The interesting bit of the problem is that the same configuration works on 2 domains created on same machine. The
  problem only occurs when domains are created on seperate machines.
  Alterative to the problem: when the certificate is generated seperately for domainB and copied to
  WEBLOGIC_HOME/server/lib, it works. However, the certificate generated in domainA should have been copied.
  Note: I am using Weblogic portal 9.2.1
  Any quick replies will be much appreciated. Thanks.
  Edited by saurabh.agrawal at 02/06/2008 2:01 PM

  Hi François,
  You are right about the use of the NameID format. But the issue here is/was that OIF at SP is integrated with OAM, and the authenticated user at OIF-SP and OAM will be the Anonymous user rather than the user who was identified at the IdP even though the remaining attributes sent are for the IdP user. I think these attributes can be used by with OAM for authorization using custom authorization plug-ins but haven't tried that one out.
  As for the attribute sharing profile, it's this one - http://www.oasis-open.org/committees/download.php/18058/sstc-saml-x509-authn-attrib-profile-cd-02.pdf, although for the life of me, I cannot remember why I suggested this in the first place!
  -Vinod

• SSO using spnego set up but not working for an Enterprise Web Service

  Hello, I am looking for some guidance. I have a function module that is exposed as a web service. I am trying to be able to access the web service with sso so the user does not need to logon. Systems has set up SSO using spnego to issue sap login tickets on our dual stack and sso is working if I try to access a netweaver link such as http://mycompany:8001/nwa but it is not working when I try to access my service
  http://mycompany.com:8001/sap/bc/srt/rfc/sap/myservice/500/myservice/myservice. I am wondering why this would not work and if it is possible to use sso with enterprise services?
  Thanks for any help...we have been stuck for a while now.
  Edited by: Katie Doody on Jul 13, 2011 3:48 PM

  Hi, I have created the redirect app with a jsp page in it. So, would you be suggesting that I add another call within there? In the error pages section of my web service in sicf I have the redirect going to my redirect jsp which is then sent to my web service.
  http://myserver:50100/redirectApp/redirect.jsp?to=http://myserver:8001/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert
  Here is  part of the the log from SMICM. It looks like I am making a connection but I am not sure what to look for to determine if the tickets is being sent and received.
  Thr 4824] HttpSubHandlerClose: Call Handler: HttpSAPR3Handler (00000001404EABA0), task=TASK_CLOSE(3)
  [Thr 4824] HttpSubHandlerClose: Call Handler: HttpJ2EEHandler (00000001404EAA70), task=TASK_CLOSE(3)
  [Thr 4824] HttpJ2EEHandler called: task=3
  [Thr 4824] Handler 3: HttpAuthHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_ins
  [Thr 4824] Handler 4: HttpCacheHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_in
  [Thr 4824] Handler 2: HttpSAPR3Handler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_in
  [Thr 4824] Handler 0: HttpJ2EEHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_ins
  [Thr 4824] HttpSubHandlerCall: Call Handler: HttpAuthHandler, task=1, header_len=647
  [Thr 4824] >> start >> CsiGetInstance(0000000000E79950)
  [Thr 4824] << end   << CsiGetInstance(0000000000E79950) returned inst=00000000005A5030
  [Thr 4824] >> start >> CsiExecute(00000000005A5030,000000000CB19CE0,85,1,000000000CB19CD0,000000000CB1BE10,0)
  [Thr 4824] >> VsaScan(00000000005A72F0,000000000055D750,000000000055D790,00000000005B94F0,NULL) >>
  [Thr 4824] << VsaScan(00000000005A72F0,000000000055D750,000000000055D790,00000000005B94F0,NULL) = 0 <<
  [Thr 4824] << end   << CsiExecute(CSI_RC==VSI_OK)
  [Thr 4824] >> start >> CsiFreeInstance(00000000005A5030)
  [Thr 4824] << end   << CsiFreeInstance(CSI_RC==VSI_OK)
  [Thr 4824] HttpSubHandlerItDeactivate: handler 0: HttpAuthHandler
  [Thr 4824] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=1, header_len=647
  [Thr 4824] HttpCacheHandler: 1 647 00000001404EACD0 0000000000000000
  [Thr 4824] ISC: Cache Lookup. 1. try: browser independent.
  [Thr 4824] ISC: hashed querystr = 7e8c2651 'null&*&'
  [Thr 4824] HttpCacheMakeObjectKey() -> '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&
  [Thr 4824] MTX_LOCK 1635 0000000000E77AA0
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77AA0
  [Thr 4824] IctCmOpen#3977 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&1562C8E7&'.
  [Thr 4824] MTX_LOCK 1635 0000000000E77950
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77950
  [Thr 4824] IctCmOpen#11089 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&1562C8E7&'
  [Thr 4824] ISC: Cache Lookup. 2. try: browser specific key.
  [Thr 4824] ISC: hashed querystr = 83bd39d4 'null&Mozilla/4.0 (compatible; MSIE 8.0;&'
  [Thr 4824] HttpCacheMakeObjectKey() -> '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&
  [Thr 4824] MTX_LOCK 1635 0000000000E77AA0
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77AA0
  [Thr 4824] IctCmOpen#3978 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&4D93DB38&'.
  [Thr 4824] MTX_LOCK 1635 0000000000E77950
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77950
  [Thr 4824] IctCmOpen#11090 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&4D93DB38&'
  [Thr 4824] HttpCacheHandler: cache miss.
  [Thr 4824] HttpSubHandlerItDeactivate: handler 1: HttpCacheHandler
  [Thr 4824] HttpSubHandlerCall: Call Handler: HttpSAPR3Handler, task=1, header_len=647
  [Thr 4824] HttpSAPR3Handler: url_tab_init: 1, force_dest: 0
  [Thr 4824] ICT: IctLookupPathTable() -> 0
  Thank you,
     Katie
  Edited by: Katie Doody on Jul 22, 2011 3:25 PM

• Using HTTP Receive ocation in BizTalk

  Hi All,
   I want to receive messages by using HTTP Receive location in BizTalk. Below are my steps.
  1. Created App pool with .net framework 4 in IIS 7
  2. Created virtual directory 'BTSHTTPReceive' with 64bit BTSHTTPReceive.dll with the above app pool in IIS 7
  3. Created HTTP receive location in BizTalk with /BTSHTTPReceive/BTSHTTPReceive.dll and started in admin console of BizTalk
  Correct me if I am wrong.
  Now my question is,
  How to send message to HTTP receive location of BizTalk?
  Is there any tool to push message to BizTalk via HTTP adapter?
  Thanks UK

  You need to use post method. however check here what to use based on your requirement.
  Also you can set the user authentication/password details in Soap UI.
  Before that please go through the sub topics at here to validate if your configuration is correct and make changes if required, be it at IIS level or
  at BizTalk host level or at SOAP UI, where ever needed.
  Also make sure the account which you are using to post the message has proper access to IIS/Biztalk. 
  Please mark the post as answer if this answers your question. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.