SSO with ASA and CITRIX

Hi,
don't know whether this is the right forum, but i will try to ask my question in hope that somebody can give me an answer:
I installed an ASA Security Appliance with WebVPN feature to connect to an internal Citrix Server farm. All authentication and authorization information are handled by a SecureACS, which is connected to ADS. All works fine. But now i want to Single-Sign-On to the citrix farm, means that the authentication information has to pass to citrix without entering the information twice...
Is there anybody out there who got this working?? SSO with basic authentication to an Apache webserver works just fine...
Which authentication informations are required for the Citrix Web Interface??
Thanx in advance!
Bernd

My custpomer is using pure http between the citrix server and the citrix client, they want to access through the vpn concentrator using the webvpn feature, after checking the citrix metaframe option on the vpn concentrator, when they try to access the client hangs on and the error that we get is ssl should be installed on the citrix server, as we use ssl between the client and vpn concentrator, my question is could citrix be accessed via pure http between the citrix server and the client in this case how to fix this error, or are we obliged to use ssl even between the citrix server and the client.

Similar Messages

BO XI 3.1 SP3 SSO with CMC and Webi Rich Client

Hello,
Is it possible in BO XI 3.1 SP3 to use SSO with CMC and Webi Rich Client ?
It works fine with InfoView, Designer and Desktop Intelligence.
Regards

Hi,
What kind of SSO authentication are you trying to set up? (AD, LDAP,...)
I think it's AD regarding your command line.
But be aware that in SSO, you don't need to configure the command line to run the client.
Have a look at the following guide.
[Configuring Manual Kerberos Authentication and-or SSO in Distributed Environments with XI 3.1 SP3.pdf|https://bosap-support.wdf.sap.corp/sap/support/sapnotes/public/services/attachment.htm?iv_key=002007204200000183782010&iv_version=0005&alt=2BCE4CB10DF674B172F4F3F7B32A284F49333135358877720E883731B332AF34CACD2AB52C0A2C8DCACA09084EF4CB494E4E0F2ECE8E2F89772908C9CE70CD2DF77675F7F2D1750C09514BCECFCFCE4C8DCF4BCC4DB5F575F4F4F3F57771F571F6F70B01B25D83D4120B0A722092A599504EB16D715E3E00&iv_guid=DF838310BFAAE8F1B486001A64C54696]
Regarding accessing CMC with SSO, it's not recomended at all as if you break this access, than you can't connect anymore to the CMC and modify settings.
Regards,
Philippe
Edited by: Philippe Tavares on Feb 15, 2011 4:11 PM

Routing issue with ASA and UC540 phone system - at ASA???

Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
Here are some facts:
1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
3. The ASA is the default gateway for the PC.
4. I have a route inserted at the asa that is:
               route 10.1.10.1 255.255.255.0 10.19.250.254 1
5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.
6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
               route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
     Is is only with this route that I am able to get to the web GUI on the phone system.
8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1
9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.
Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
Here are the routing tables:
ASA:
Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
C    10.19.250.0 255.255.254.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
The UC540 phone system's router side:
Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx
      10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
C        10.1.1.0/24 is directly connected, BVI100
L        10.1.1.1/32 is directly connected, BVI100
C        10.1.10.0/30 is directly connected, Loopback0
S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
L        10.1.10.2/32 is directly connected, Loopback0
C        10.19.250.0/23 is directly connected, BVI1
L        10.19.250.254/32 is directly connected, BVI1
      XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
      172.16.0.0/24 is subnetted, 1 subnets
S        172.16.100.0 [1/0] via 10.19.250.1
The UC540's internal CUE server:
Main Routing Table:
           DEST            GATE            MASK                     IFACE
      10.1.10.0            0.0.0.0           255.255.255.252       eth0
        0.0.0.0             10.1.10.2         0.0.0.0                    eth0
Any help appreciated!!!
Thanks!

Hello,
Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
Here is a info page on the TCP State Bypass:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
Please let me know how it works out.

MS NLB with ASA and Static NAT from PUP to NLB IP

Hi all,
I am trying to get MS NLB up and running. It is almost all working. Below is my physical setup.
ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
I have two VMs runing on two different ESXi hosts. They have two vNICs. One for managment and one for inside puplic subnet. The inside puplic subnet NICs are in the NLB cluster. The inside public subnet is NATed on the ASA to a outide public IP.
192.168.0.50 is the 1st VM
192.168.0.51 is the 2nd VM
192.168.0.52 is the cluster IP for heartbeat
192.168.0.53 is the cluster IP for NLB traffic.
0100.5e7f.0035 is the cluster MAC.
The NLB cluster is using MULTICAST
I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC.
For the ASA I found
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
ASDM
Configuration > Device Management > Advanced > ARP > ARP Static Table
I was able to add my stic ARP just fine.
However, the next step was to enable ARP inspection.
Configuration > Device Management > Advanced > ARP > ARP Inspection
My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
For the CAT Switch I found
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
I added the both the ARP and Static MAC. For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa. I then added a DNS entry for our domain to point to the outside public IP. I also added it to the public servers section allowing all IP traffic testing puproses.
At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets) The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae. Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine.
So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine. Below is my ASA Config. I have bolded the parts of Interest.
Result of the command: "show run"
: Saved
ASA Version 8.4(4)9
hostname MP-ASA-1
enable password ac3wyUYtitklff6l encrypted
passwd ac3wyUYtitklff6l encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.XX.XX.82 255.255.255.240
interface Ethernet0/1
description Root Inside Interface No Vlan
speed 1000
duplex full
nameif Port-1-GI-Inside-Native
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1.2
description Managment LAN 1 for Inside Networks
vlan 2
nameif MGMT-1
security-level 100
ip address 192.168.180.1 255.255.255.0
interface Ethernet0/1.3
description Managment LAN 2 for Inside Networks
vlan 3
nameif MGMT-2
security-level 100
ip address 192.168.181.1 255.255.255.0
interface Ethernet0/1.100
description Development Pubilc Network 1
vlan 100
nameif DEV-PUB-1
security-level 50
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1.101
description Development Pubilc Network 2
vlan 101
nameif DEV-PUB-2
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/1.102
description Suncor Pubilc Network 1
vlan 102
nameif SUNCOR-PUB-1
security-level 49
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/1.103
description Suncor Pubilc Network 2
vlan 103
nameif SUNCOR-PUB-2
security-level 49
ip address 192.168.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa844-9-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Native-Network-PNAT
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network with PNAT
object network ASA-Outside-IP
host 198.XX.XX.82
description The primary IP of the ASA
object network Inside-Native-Network
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network
object network VPN-POOL-PNAT
subnet 192.168.100.0 255.255.255.0
description VPN Pool NAT for Inside
object network DEV-PUP-1-Network
subnet 192.168.0.0 255.255.255.0
description DEV-PUP-1 Network
object network DEV-PUP-2-Network
subnet 192.168.2.0 255.255.255.0
description DEV-PUP-2 Network
object network MGMT-1-Network
subnet 192.168.180.0 255.255.255.0
description MGMT-1 Network
object network MGMT-2-Network
subnet 192.168.181.0 255.255.255.0
description MGMT-2 Network
object network SUNCOR-PUP-1-Network
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUP-1 Network
object network SUNCOR-PUP-2-Network
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUP-2 Network
object network DEV-PUB-1-Network-PNAT
subnet 192.168.0.0 255.255.255.0
description DEV-PUB-1-Network with PNAT
object network DEV-PUB-2-Network-PNAT
subnet 192.168.2.0 255.255.255.0
description DEV-PUB-2-Network with PNAT
object network MGMT-1-Network-PNAT
subnet 192.168.180.0 255.255.255.0
description MGMT-1-Network with PNAT
object network MGMT-2-Network-PNAT
subnet 192.168.181.0 255.255.255.0
description MGMT-2-Network with PNAT
object network SUNCOR-PUB-1-Network-PNAT
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUB-1-Network with PNAT
object network SUNCOR-PUB-2-Network-PNAT
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUB-2-Network with PNAT
object network DEV-APP-1-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-APP-2-SNAT
host 192.168.2.120
description DEV-APP-2 Server with SNAT
object network DEV-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-SQL-1
host 192.168.0.110
description DEV-SQL-1 Inside Server IP
object network DEV-SQL-2
host 192.168.2.110
description DEV-SQL-2 Inside Server IP
object network SUCNOR-APP-1-PUB
host 198.XX.XX.XX
description SUNCOR-APP-1 Public Server IP
object network SUNCOR-APP-2-SNAT
host 192.168.4.120
description SUNCOR-APP-2 Server with SNAT
object network SUNCOR-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network SUNCOR-SQL-1
host 192.168.3.110
description SUNCOR-SQL-1 Inside Server IP
object network SUNCOR-SQL-2
host 192.168.4.110
description SUNCOR-SQL-2 Inside Server IP
object network DEV-APP-1-SNAT
host 192.168.0.120
description DEV-APP-1 Network with SNAT
object network SUNCOR-APP-1-SNAT
host 192.168.3.120
description SUNCOR-APP-1 Network with SNAT
object network PDX-LAN
subnet 192.168.1.0 255.255.255.0
description PDX-LAN for S2S VPN
object network PDX-Sonicwall
host XX.XX.XX.XX
object network LOGI-NLB--SNAT
host 192.168.0.53
description Logi NLB with SNAT
object network LOGI-PUP-IP
host 198.XX.XX.87
description Public IP of LOGI server for NLB
object network LOGI-NLB-IP
host 192.168.0.53
description LOGI NLB IP
object network LOGI-PUP-SNAT-NLB
host 198.XX.XX.87
description LOGI Pup with SNAT to NLB
object-group network vpn-inside
description All inside accessible networks
object-group network VPN-Inside-Networks
description All Inside Nets for Remote VPN Access
network-object object Inside-Native-Network
network-object object DEV-PUP-1-Network
network-object object DEV-PUP-2-Network
network-object object MGMT-1-Network
network-object object MGMT-2-Network
network-object object SUNCOR-PUP-1-Network
network-object object SUNCOR-PUP-2-Network
access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
access-list outside_access_out remark Block ping to out networks
access-list outside_access_out extended deny icmp any any inactive
access-list outside_access_out remark Allow all traffic from inside to outside networks
access-list outside_access_out extended permit ip any any
access-list outside_access extended permit ip any object LOGI-NLB--SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
access-list outside_access extended permit ip any object DEV-APP-2-SNAT
access-list outside_access extended permit ip any object DEV-APP-1-SNAT
access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
pager lines 24
logging asdm informational
mtu outside 1500
mtu Port-1-GI-Inside-Native 1500
mtu MGMT-1 1500
mtu MGMT-2 1500
mtu DEV-PUB-1 1500
mtu DEV-PUB-2 1500
mtu SUNCOR-PUB-1 1500
mtu SUNCOR-PUB-2 1500
mtu management 1500
ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Port-1-GI-Inside-Native
icmp permit any MGMT-1
icmp permit any MGMT-2
icmp permit any DEV-PUB-1
icmp permit any DEV-PUB-2
icmp permit any SUNCOR-PUB-1
icmp permit any SUNCOR-PUB-2
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
arp timeout 14400
no arp permit-nonconnected
nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
object network Inside-Native-Network-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network VPN-POOL-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network DEV-PUB-1-Network-PNAT
nat (DEV-PUB-1,outside) dynamic interface
object network DEV-PUB-2-Network-PNAT
nat (DEV-PUB-2,outside) dynamic interface
object network MGMT-1-Network-PNAT
nat (MGMT-1,outside) dynamic interface
object network MGMT-2-Network-PNAT
nat (MGMT-2,outside) dynamic interface
object network SUNCOR-PUB-1-Network-PNAT
nat (SUNCOR-PUB-1,outside) dynamic interface
object network SUNCOR-PUB-2-Network-PNAT
nat (SUNCOR-PUB-2,outside) dynamic interface
object network DEV-APP-2-SNAT
nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
object network SUNCOR-APP-2-SNAT
nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
object network DEV-APP-1-SNAT
nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
object network SUNCOR-APP-1-SNAT
nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
object network LOGI-NLB--SNAT
nat (DEV-PUB-1,outside) static LOGI-PUP-IP
object network LOGI-PUP-SNAT-NLB
nat (outside,DEV-PUB-1) static LOGI-NLB-IP
access-group outside_access in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
http 192.168.180.0 255.255.255.0 MGMT-1
http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
: end
Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff.
Thanks,
Chris

Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP. So it's definatly an issue when NATing the VIP of NLB cluster.
Chris

Oracle Forms 11g SSO with OID and IAM

What versions of OID and Access Manager are required to get an Oracle Forms and Reports 11.1.1.2 application
on Weblogic 10.3.2 configured for Oracle SSO using OID authentication?
We want the OID to store and authenticate Users for username and password logins to the database, then
ultimately by user Certificate authentication in OID. I have OID 11.1.1.2 installed and SSO enabled for Forms
in Enterprise Manager.
Is Access Manager required for Forms SSO with OID authentication to work or just to allow user interaction
for registration and Password reset?
Things mention OAM 10.4.3 and others talk about IAM 11g for Forms 11.1.1.2 SSO to work with OID.
We did this back in Oracle Forms and OID 10g with JSP and LDAP to setup users but I understand 11g is
different and IAM can help or is required for this type of SSO to work.
Any help?
Edited by: Kirch on Apr 30, 2013 7:39 AM

Hi,
According to Oracle's certification matrix found at http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls, Oracle Forms 11.1.1.2 is not supported to use any Oracle Access Manager (OAM) version. OAM is a component of IAM. It is only supported with Oracle SSO 10.1.4.x. The best solution would be to upgrade the Forms and Reports environment to either 11gR2 (11.1.2.1) or to the latest 11gR1 patchset 11.1.1.7. Both versions are compatible with OAM 11.1.1.7.0 and OID 11.1.1.7.0 where only Forms 11gR2 (11.1.2.1) is compatible with OAM 11.1.2.0 and OID 11.1.1.7.0. That would be the best solution as we have ran into configuration problems in the past with using Oracle SSO 10.1.4.x.
Since OID 11.1.1.2.0 is already installed, you should be able to patch it up to 11.1.1.7.0.
For user authentication in OID, it is required to have OAM or Oracle SSO as both products use WebGate or mod_osso agents for authentication and authorization. For purposes of allowing end users to register accounts and password reset, you will either need to also install another IAM component called Oracle Identity Manager (OIM) or create a customized SSO login page that can be coded to perform these actions. I believe there are some examples available on the Internet.
Thanks,
Scott
http://pitss.com/us

SSO with Sharepoint and BO

Hi ,
We have BO XI 3.0 installed on Windows server 2003 system and Sharepoint also installed on the same system. We need to do the SSO between Sharepoint and BO XI 3.0.
Is it posible with this version, if so could anyone share your experience ? I saw the product documentation which is only for BO XI 3.1, but ! my environment is BO XI 3.0.
Regards,
Jyothi

Hi Tim Ziemba,
Thanks for the response.
Yes, we are planning to upgrate the system soon. Now this is a POC for checking the functionality. Could you please share what are the prerequsites and where can i get the BO XI 3.0 with Sharepoint Integration Kit ?
When i try to install Integration Kit of 3.1, it is asking to have Enterprise .Net SDK. Where can i get it ?
Regards,
Jyothi

ACS 5.3 Radius authentication with ASA and DACL

Hi,
I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
Clients are connecting to an ASA 5510 with image asa843-K8.bin
I followed the configuration example on the Cisco site, but I am having some problems
First : AD identity is not triggered, I put a profile :
Status
Name
Conditions
Results
Hit Count
NDG:Location
Time And Date
AD1:memberOf
Authorization Profiles
1
TestVPNDACL
-ANY-
-ANY-
equals Network Admin
TEST DACL
0
But if I am getting no hits on it, Default Access is being used (Permit Access)
So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
I can see the DACL/ASA being authenticated in the ACS log but no success
I am using my user which is member of the Network Admin Group.
Am I missing something?
Any help greatly appreciated!
Wim

Hello Stephen,
As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
Here is a snapshot of the section:

SSO with OID and WLS 8.1 Web App

Hi,
I have a web application deployed on WLS 8.1.
I have set up Oracle Custom Authenticator.
Some of my users are stored in Oracle LDAP. I want that if user logs in Web Application deployed on WLS 8.1 and clicks on one link (in my web app) which refers him to go to OID interface, in OID interface he should not be authenticated again (as he is already authenticated by WLS). Please let me know how to resolve this issue with Oracle SSO.
Any help in this regard highly appreciated.
Thanks
-Deepak

Did you find a solution for this problem?
I have somthing very similar going on where I am currently working.
Thanks!
Andy.
"Simple Guy" <[email protected]> wrote:
>
Hi,
I've a setup with iplanet 6.x webserver using the wls 7.0 sp2 proxy plugin
to
route requests to the clustered app server instances (2 of them) that
are in wls
6.1 sp3.
The issue is, I'm noticing that the session is not sticky and is getting
routed
onto the other app server instance. The error that I see in the wlproxy.log
is
as follows:
*******Exception type [PROTOCOL_ERROR] raised
at line 654 of URL.cpp
Thu Nov 13 11:30:08 2003 failure on sendRequest() w/ recycled connection
to Instance1:7001, numfailures=1
Thu Nov 13 11:30:08 2003 Marking Instance1:7001 as bad
Thu Nov 13 11:30:08 2003 got exception in sendRequest phase:
PROTOCOL_ERROR [line 654 of URL.cpp]: unexpected EOF
reading HTTP status at line 1010
Thu Nov 13 11:30:08 2003 Failing over after sendRequest exception
Thu Nov 13 11:30:08 2003 attempt #1 out of a max of 5
Has anyone seen this issue? Can anyone explain why this issue is occuring.?
Thanks.

Bad video quality with AMS and Citrix

Some clients connects to our network with vpn Citrix and get the screen presentet from Citrix.
The video quality is bad, choppy and sound out of sync.
Is it possible to set a specific quality for clients connecting with Citrix in AMS?
Do you have a best practice when using Citrix.
/Anders

Hi Drago
It is very bad situation. Toshiba with every notebook must offer functioning product and because of that offer tested drivers. Those drivers are adapted for each notebook model and also have protecting function. That means the graphic card will not be forced to run on the highest level.
As you can see with original driver you have problems playing some games. For me it is nothing unusual for mobile computers. Problem is that every modified driver is not supported and tested by notebook manufacturer. I recommend you to use tested Toshiba driver. At the end maybe you must make compromise between gaming and watching movies.
By the way: are original DVD movies also so bad while you use preinstalled WinDVD?

Integrating 3rd party SSO with SAPGUI and distinguish between different SID

Hello,
we are trying to integrate a SSO application on Win XP with SAPGUI 6.20 (SAP 4.70).
The SSO app fills, in case of SAPGUI, the fields 'client', 'username', 'password' and 'language'.
Which credentials to choose is normaly based on information the SSO app gets out of the applications context it should log in to.
As an example with IE it's the window title and the URL.
But with the SAPGUI we only get "SAP" as an identifier, despite which SID/server(?) is selected. And therefore we are not able to fill in the corresponding credentials.
Where can the SID (and perhaps 'client') be retrieved by an external program when the logon screen is displayed by SAPGUI?
Please apologize if this is the wrong forum or I'm using wrong terms, but normaly I'm living outside the SAP world.
TIA!
Regards,
Frank

as an addendum to my post, I've seen that this can be done.
http://www.hardcopy.de/hardcopy/english/bsp_sap_neu_kz.php3

Endpoint Assessment with ASA and Eset Smart Security

Hi,
I am trying to get ASA Endpoint Assessment working on a ASA 5510 with Eset Smart Secuirty VER 4.
It works great with Eset Smart-Security Version 3., but I am unable to get it working with Version 4.
From a "debug dap trace" it appears the variables are populated with bad information :
endpoint.as["SpyBot"].timestamp="1223424000";
endpoint.av["WmiAV"]={};
endpoint.av["WmiAV"].exists="true";
endpoint.av["WmiAV"].description="Eset unknown product";
endpoint.av["WmiAV"].version="4.0";
endpoint.av["WmiAV"].activescan="ok";
endpoint.av["WmiAV"].lastupdate="";
endpoint.av["WmiAV"].timestamp="";
Is there anything I can do ?
Any help, really appreciated.
Thanks
Matt
I am running 8.0(4) with csd_3.4.0373.pkg.
Endpoint Assessment 2.5.14.3

Hello Tarik,
Thanks for the info.
The clients are able to login. And in the ESET Smart Security configuration, the nac client application is added to the firewall rules which make nac active whatever the ports is used by the client.
Thanks
Patrick Y.

SSO with WindowsAD and SAP Auth

Hi,
      we have heterogenous systems. We have reports based on oracle database and sapBW. currently we are using windows AD authentication for SSO to Oracle Database. but is it possible to use WindowsAD for oracle and SAP authentication for SAP BW?
Is it really possible to have dual SSO ?
Thanks,
Gopi

Hi Ingo,
         Thanks for the quick reply. Can you please elaborate a little bit on this. Is it really possible to make SSO work for both SAP and Oracle Data ware?
Do we have any documents on this.   Really Appreciate your help on this.
Thanks,
gopi

OBIEE SSO with authorization

Hi Gurus,
1)I have instance configured the SSO with windows Active Directory and OBIEE.
2)I also have another instance ( without SSO configured) with external table authentication( user name and password verification) and authorization( groups , which populate the session variables for data filtering) .
Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory
and external table groups.
The reason being , my groups are custom groups in external table, i do not want to maintain users in repository.
can you please give me pointers if the scenario is possible . Thanks in Advance
Thanks and Regards
Satya

Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory and external table groups.I don't what your issue is? Just do SSO with AD and then load the groups in the GROUP init block via SQL. What is your actual issue?
In order to filter the data in reports you need to have the same group structure in Web Cat i guess ( correct me if i am wrong).Yes, although you don't need to use the same group names. Inm fact I prefer to have completely separate groups names, some for RPD security some for Web Catalog security. As long as the the groups exist in the proper location (RPD or Web Catalog) and they get assigned in the GROUP init block then OBIEE will be happy, they don't need to exist in both places.
2) Will not SSO populate the Remote_User variable rather than the USER variable by default.No, you have to tell OBIEE where to put the REMOTE_USER value. You can simply do SELECT ':USER' FROM DUAL or if you have your users defined in a table you can also authenticate that the user exists in this table SELECT ':USER' FROM USER_TABLE WHERE USER_ID = ':USER' which adds another layer of authentication to your SSO solution.

Oracle9iAS R2 - Virtual Hosts with Portal and SSO with OIDDAS application

Hi!
I have installed a the machine with name minsk.discover.local. The machine have installed Infrastructure and Portal. The instalation is sucessfull and i work fine. But i have publish Portal to WEB with name intranet.discover.com.br. The Oracle describe:
1 - Create the virtual hosts in SSO and PORTAL - OK
2 - run ptlasst to create SSO Partners Applications - OK
After this steps iwork fine with Portal and SSO, but when i click in portlet to create user to access the application OIDDAS, the Portal redirect to login page of SSO in address mct.com.br, the internal name, when then name not responde in the internet.
I need a help!!!!
Marcio Mesti

I just spoke to the Oracle App server admins, the two servers in question are clustered.
So my question changes slightly to:
What is the best way to install and configure a webgate for clustered Oracle App servers with mulitple virtual hosts, that are residing behind a load balancer (Traffic Manager)?
Thanks,
Andy

SSO with EP 6.0 and R/3 as backened not working

Hi ,
I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
What are the setting to be done in ITS for SSO towork. I have set the parameter
msapcomusesso2cookie = 1 in the global.svrc file.
I do not know what is wrong. Please help.
Regards,
Ramesh

Hi,
I am using a standalone ITS for a R/3 4.7 system.
How should I maintain a FQDN for ITS?
You are right,
now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
Regards,
Ramesh

SSO with ASA and CITRIX

Similar Messages

Maybe you are looking for