Tacacs+ authentication/authorization based on user's subnet
Hi Guys/Girls
We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
Your feedback will be appreciated and rated.
Thanks
Rizwan Rafeek
Riswan,
This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
Here is an example of how the tacacs authentication is performed.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
Tacacs authentication fails for one user account for only one switch
Hi,
I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
The same user account works well for other devices.
The AAA configs are same on every devices in the network.
Heres the show tacacs output from the switch where only one user account fails;
Socket opens: 157
Socket closes: 156
Socket aborts: 303
Socket errors: 1
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 1703
Total Packets Recv: 1243
Expected Replies: 0
What could be the reason ?
No errors on ACS server; same rights had been given to the user account.
Thanks to advise.
PraseyHi there,
Does the user get authenticated in the ACS logs?
reports and activity----> failed attempts
ro
reports and activity-----> passed authentications
That will help narrow it down.
Brad -
Purchasing group authorization based on user
Hi All,
Can anyone suggest me ideas on how to restrict in accessing details of a PO for a purchasing group based on the user who tries to access it .
the object is M-BEST_EKG.
need guidance in using AUTHORITY_CHECK in restriciting PO group based on the userid.
how are the users assigned to the authorization object ?
Thanks in advance.
Regards,
RyHi Roby,
I think you can control authorization using transaction PFCG.
refer below SAP link for details on authorization. May help you.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
Regards,
Atish -
Ask for help with form based authentication & authorization
Hi:
I encountered the following problem when I tried the form based authentication & authorization (see the attached part of the config files, web.xml, weblogic.xml & weblogic.properties)
1. authorization seems not invoked against the rules specfied, it doesn't go the login error page as long as the user/pwd match, even though the user does not have the necessary role
in the example below, user3 should be denied to access the signin page, but seems no login error page returned, actually I never see any page / error message which complain about the authorization / access control error
2. after authenticate correctly, always get redirected to the / (context root) url, instead of the url prior the login page, for e.g., signin page
Any idea ?
Thanks in advance.
HaiMing
attach config files
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureBit1</web-resource-name>
<description>no description</description>
<url-pattern>/control/signin</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/control/formbasedlogin</form-login-page>
<form-error-page>/control/formbasedloginerror</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>the customer role</description>
<role-name>customer</role-name>
</security-role>
weblogic.xml
<security-role-assignment>
<role-name>
customer
</role-name>
<principal-name>
customer_group
</security-role-assignment>
weblogic.properties
weblogic.password.user1=user1pass
weblogic.password.user2=user2pass
weblogic.password.user3=user3pass
weblogic.security.group.customer_group=user1,user2Hi, Paul:
Thanks a lot for your reply.
Firstly let me just correct a little in the attachment I put previously, I think I missed following lines :
<auth-constraint>
<description>no description</description>
<role-name>customer</role-name>
</auth-constraint>
So, user1 & user2 are in the customer group, but user3 not, and /control/singin is protected by this security constraint, as a result, when anyone click the link to /control/singin, he was led to the login page, if he tries to login as user1 & user2, he should pass & led to original page (in this case /control/singin, and my code's logic, once /control/signin is used, means that he already login successfully & redirected to the login success page), but if he tries to login as user3, he should only pass the authentication check, but fail the authorization check, and led to login error page.
What not happen are :
1. user1 & user2 pass, but redirect to /
2. user3 also pass, because I see that debug message shows also get redirected to /, instead of login error page
(login error page will be displayed, only if I try to login as a user with either wrong userid, or wrong password)
3. one more thing I notice after I first time post the message, the container does not remember the principal, after 1. is done, not even for a while
And the similar configuration works under Tomcat 3.2.1, for all 3. mentioned above.
Any idea ?
HaiMing
"Paul Patrick" <[email protected]> wrote:
If I understand what your trying to do, everyone should get access to the
login page since roles are not
associated with principals until after they authenticate. If I follow what
you specified in the XML files,
authenticated users user1 and user2 are members of a group called
customer_group.
The principal customer_group (and therefore its members) is mapped in the
weblogic.xml file to the role
customer.
I can't speak to the reason your being redirected to the document root.
Paul Patrick
"HaiMing" <[email protected]> wrote in message
news:[email protected]...
Hi:
I encountered the following problem when I tried the form basedauthentication & authorization (see the attached part of the config files,
web.xml, weblogic.xml & weblogic.properties)
1. authorization seems not invoked against the rules specfied, itdoesn't go the login error page as long as the user/pwd match, even though
the user does not have the necessary role
in the example below, user3 should be denied to access the signinpage, but seems no login error page returned, actually I never see any page
/ error message which complain about the authorization / access control
error
2. after authenticate correctly, always get redirected to the / (contextroot) url, instead of the url prior the login page, for e.g., signin page
Any idea ?
Thanks in advance.
HaiMing
attach config files
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureBit1</web-resource-name>
<description>no description</description>
<url-pattern>/control/signin</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/control/formbasedlogin</form-login-page>
<form-error-page>/control/formbasedloginerror</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>the customer role</description>
<role-name>customer</role-name>
</security-role>
weblogic.xml
<security-role-assignment>
<role-name>
customer
</role-name>
<principal-name>
customer_group
</security-role-assignment>
weblogic.properties
weblogic.password.user1=user1pass
weblogic.password.user2=user2pass
weblogic.password.user3=user3pass
weblogic.security.group.customer_group=user1,user2 -
Authentication and authorization for AD users in UCM11g
Hi all
we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
Thanks
SomeshAs you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
As for SSO, refer to the:
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
and
http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
Procedure steps are:
Create a user account for the hostname of the web server machine in Active Directory
Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
Generate the keytab file
Create a JAAS Login File named krb5Login.conf
Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
Configure the Identity Assertion Provider
Adjust Weblogic Server startup arguments for Kerberos authentication
Redeploy CS (and optionally other servers) server with the documentation given deployment plan
Check web browser configuration (IE and Firefox only)
Take a deep breath and test
If successful have a cake and cup of coffee else goto step one
Regards,
Boris -
BI Bex Query prompt based on User's Authorization....
Hi
In BI, I created 1 BEx Query based on Authorization. If a user runs the query, it prompts for 'Customer Name' to get data of particular customer. And Customer values are populated in the prompt based on User's Authorization.
For example:
User1 is authorized to see data of Customer1 & Customer2. So, Query prompt will show 2 values: 'Customer1' & 'Customer2'.
But User2 is authorized to see data of Customer1, so Query prompt will show 'Customer1' only.
I created 2 variables on Customer field:
1) Authorization Variable in Filter Section
2) Manual, Single Entry, Mandatory on Default Value section.
My Requirement:
If user is authorized to link with only 1 Customer, he should not get prompt & on the background prompt value should be populated from his authorization value. But if user is authorized to see multi-customers, then prompt should appear.
If possible pls. provide some suggestions....
Thanks...Yes, this can be done.
but there is little work around.. Using guided navigations
1. Create a report with column fx as case when 1=0 then markets.region else user() end
2. apply filter on this column is equal to User_1
3. Create another report with column fx as case when 1=0 then markets.region else user() end
4. apply filter on this column is equal to User_2
5. Now add all your prompts to dashboard, but each prompt should in each section object of dashboard.
6. For first section click on section properties, go to Guided Navigation...
7. Browse Source Request as first report.. and keep If request returns rows selected.
8. Repeat above step for another section.. but this time browse 2nd report.
9. Just save dashboard.
Check now..
Hope you understood..
Regards
Kishore Guggilla
Edited by: Kishore Guggilla on Feb 18, 2009 12:57 PM -
Assigning different authorization to same user based on Query
Hi experts,
I am redefining my issue,
Is there any way i can assign different authorizations to the same user but based on either Query/Workbook.
lets say i have two Analysis authorizations A & B and two Queries X and Y.
If the Query/Workbook is X then Add Authorization A to user ABC.
else if the Query/Workbook is Y then Add authorization B to user ABC.
this is because i have two set of workbooks the same user can access and authorization for these two set is different based on the workbook.
I tried using the auth objects 0TCTWORKBK,0TCTQUERID OR 0TCTQUERY but no success so far.
thank in advance.
Edited by: youmenbi on Feb 12, 2008 1:20 AM
Edited by: youmenbi on Feb 12, 2008 1:31 AMHi
We have set same kind of authorizations based on the users. The Cost Center Manager is assigned a role and the authorizations for each of the Report/Layout/Workbook is based on his/her profile...some are Read only, some or Read & Write...etc.
If you go through that route......and assign each of the Reports/Layouts/Workbooks to Users....you may succeed.
I know it is a bit time consuming but that is one alternative we could think of as it addressed seamlessly any changes in CC Managers.
Regards
Srinivas -
How to display screens (tabs) based on user authentication
hi
i am new to jheadstart, i want to display screens (tabs) based on users, ie if i have screens of dept, grade, desig, group, type, master etc..
if user is admin display all the items in tab,
if user 1 then display only dept, grade, desig
if user2 then other settings....etc
how to do this pls help,,,,,
thx in adv
KrisKris,
If you upgrade to JHeadstart 10.1.2.2 (requires a license), you will get built-in support for user authenrication and authorization including showing tabs based on the role. 10.1.2.2. ships with a demo app that uses all these features.
Steven Davelaar,
JHeadstart Team. -
We have a SharePoint Enterprise 2013 system at RTM level. We've installed Workflow Manager 1.0 by following the steps at
http://technet.microsoft.com/en-us/library/jj658588.aspx. For the final step of Validating the Installation we created a simple list-level workflow and verified that the workflow
is invoked successfully. This is working successfully, but only for a single user. If other users in the same site collection try to invoke the workflow on this same list we get the ULS Log Error:
Claims Authentication af3zp Unexpected STS Call Claims Saml: Problem getting output claims identity. Exception: 'Microsoft.SharePoint.SPException: The specified user or domain group was not found. --->
System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
followed by:
Failed to issue new security token. Exception: Microsoft.SharePoint.SPException: The specified user or domain group was not found. ---> System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
(as details below).
All accounts that are attempting to use the Test Workflow (both working and non-working user accounts) are valid AD accounts and are included in the User Profile Sync that runs nightly. All have Contribute or Design permission level (and for testing,
Full Control).
What could cause the Claims Authentication to fail when certain users attempt to launch the workflow?
Thank you for your response.
Jim Mac.
08/29/2013 10:22:51.94 w3wp.exe (0x2020) 0x26D8 SharePoint Foundation
Claims Authentication af3zp Unexpected STS Call Claims Saml: Problem getting output claims identity. Exception: 'Microsoft.SharePoint.SPException: The specified user or domain group was
not found. ---> System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated. at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType,
Boolean forceSuccess) at System.Security.Principal.NTAccount.Translate(Type targetType) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdentity,
SPClaim loginClaim) --- End of inner exception stack trace --- at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdent... 94aa5c2d-fa45-9b83-b203-a92b20102583
08/29/2013 10:22:51.94* w3wp.exe (0x2020) 0x26D8 SharePoint Foundation
Claims Authentication af3zp Unexpected ...ity, SPClaim loginClaim) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String
encodedIdentityClaimSuffix) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.CreateTokenCacheReferenceFromTokenSignature(SPRequestInfo requestInfo, IClaimsIdentity identity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentTokenCacheReferenceClaim(SPRequestInfo
requestInfo, IClaimsIdentity identity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
principal, RequestSecurityToken request, Scope scope)'. 94aa5c2d-fa45-9b83-b203-a92b20102583
08/29/2013 10:22:51.94 w3wp.exe (0x2020) 0x26D8 SharePoint Foundation
Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: Microsoft.SharePoint.SPException: The specified user or domain group was not found. --->
System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated. at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
at System.Security.Principal.NTAccount.Translate(Type targetType) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdentity, SPClaim loginClaim)
--- End of inner exception stack trace --- at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdentity, SPClaim logi... 94aa5c2d-fa45-9b83-b203-a92b20102583
08/29/2013 10:22:51.94* w3wp.exe (0x2020) 0x26D8 SharePoint Foundation
Claims Authentication fo1t Monitorable ...nClaim) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String encodedIdentityClaimSuffix)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.CreateTokenCacheReferenceFromTokenSignature(SPRequestInfo requestInfo, IClaimsIdentity identity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentTokenCacheReferenceClaim(SPRequestInfo
requestInfo, IClaimsIdentity identity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
principal, RequestSecurityToken request, Scope scope) at Microsoft.IdentityModel.Securi... 94aa5c2d-fa45-9b83-b203-a92b20102583
08/29/2013 10:22:51.94* w3wp.exe (0x2020) 0x26D8 SharePoint Foundation
Claims Authentication fo1t Monitorable ...tyTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal
principal, RequestSecurityToken request) 94aa5c2d-fa45-9b83-b203-a92b20102583Hi Aries,
I am facing issue with work flow where Workflow goes to Suspend mode.
I am facing an issue with SP2013 Custom Workflow developed using Visual Studio 2012.
Objective of the Custom workflow: User fills the form and submit, list get updated and workflow will initiate and go for the process.
Issue: After the deployment of WF, for first time when user is filling the form and submit, list is getting updated. But the Workflow Goes to "Suspend" mode. (
This Custom Workflow has a configuration file where we are providing other details including ID of Impersonator (farm is running under Claim Based Authentication).
Work flow works fine once when the Impersonator initiate the workflow (Fill the form and submit for approval) and everything works fine after that.
Following steps are already performed
1.Make sure User profile synchronization is started.
2.Make sure the user is not the SharePoint system user.
3.Make sure the user by whom you are logged is available in User Profile list.
4.Step full synchronization of User Profile Application.
From the ULS logs it seems the user's security token from the STS service and User profile service is not being issued.
Appreciate any thoughts or solution.
Following are the log files.
<-------------------------------Information taken from "http://YYYY.XXXXX.com/sites/xxxx/_layouts/15/wrkstat.aspx" where it is showing workflow status as "Suspend"------->
http://yyyy.XXXX.com/sites/xxxx/_vti_bin/client.svc/sp.utilities.utility.ResolvePrincipalInCurrentcontext(input=@ParamUser,scopes='15',sources='15',inputIsEmailOnly='false',addToUserInfoList='False')?%40ParamUser='i%3A0%23.w%7CXXXXX%5Csps_biscomdev'
Correlation Id: f5bd8793-a53c-2127-bfb1-70bc172425e8 Instance Id: 14a985a0-60c8-42db-a42c-c752190b8106
RequestorId: f5bd8793-a53c-2127-0000-000000000000. Details: RequestorId: f5bd8793-a53c-2127-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401
{"error_description":"The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug>
configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."} {"x-ms-diagnostics":["3001000;reason=\"There
has been an error authenticating the request.\";category=\"invalid_client\""],"SPRequestGuid":["f5bd8793-a53c-2127-8654-672758a68234"],"request-id":["f5bd8793-a53c-2127-8654-672758a68234"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["34"],"SPIisLatency":["0"],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["Bearer
realm=\"b14e1e0f-257f-42ec-a92d-377479e0ec8d\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,[email protected]79e0ec8d\"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
RequireReadOnly"],"Date":["Fri, 10 Apr 2015 19:48:07 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
ULS Log
04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Authentication Authorization agb9s Medium OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Runtime ajd6k Verbose Value for isAnonymousAllowed is : False f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Runtime ajd6l Verbose Value for checkAuthenticationCookie is : True f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly)). Execution Time=18.7574119057031 f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.73 PowerShell.exe (0x29BC) 0x2B9C SharePoint Foundation General narq Verbose Releasing SPRequest with allocation Id {AF89E1D7-C47F-467B-8FD4-D7DC768820EE}
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly)). Parent No
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80.
04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly) f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Application Authentication Pipeline). Parent Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly) f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Claims Authentication ah25l Medium SPJsonWebSecurityBaseTokenHandler: ValidateActorIsSelfIssuer! Issuer '00000005-0000-0000-c000-000000000000' is not self
issuer. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Getting Site Subscription Id). Parent [S2S] Getting token from STS and setting Thread Identity f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Getting Site Subscription Id). Execution Time=0.341314329055788 f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Reading token from Cache using token signature). Parent [S2S] Getting token from STS and setting Thread
Identity f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General ajji6 High Unable to write SPDistributedCache call usage entry. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Reading token from Cache using token signature). Execution Time=7.5931438213516 f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Application Authentication ajwpx Medium SPApplicationAuthenticationModule: Failed to build cache key for user f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Topology aeayb Medium SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel:
'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:fd5eba94-c39d-4667-89bd-089411c87f09' f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.77 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Topology aeax9 Medium SecurityTokenServiceReceiveRequest: LocalAddress: 'http://c1vspwfe01.vitas.com:32843/SecurityTokenServiceApplication/securitytoken.svc'
Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:fd5eba94-c39d-4667-89bd-089411c87f09' f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.77 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (ExecuteSecurityTokenServiceOperationServer). Parent No f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication ah25l Medium SPJsonWebSecurityBaseTokenHandler: ValidateActorIsSelfIssuer! Issuer '00000005-0000-0000-c000-000000000000' is not self
issuer. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General narq Verbose Releasing SPRequest with allocation Id {F17590DF-49D9-439D-86BC-5AE6416BB765} f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8b Verbose Looking up site
http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General narq Verbose Releasing SPRequest with allocation Id {3847D5A4-15C6-4AF9-B062-E22BB555DF4F} f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Portal Server User Profiles ae0s1 High Identity claims mapped to '0' user profiles. Claims: [nameid: '', nii: 'windows', upn: '', smtp: '', sip: ''], User Profiles: f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Portal Server User Profiles ae0sr Unexpected UserProfileException caught.. Exception Microsoft.Office.Server.Security.UserProfileNoUserFoundException: 3001002;reason=The
incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator. at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
upManager, IEnumerable`1 identityClaims) at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0() is thrown. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Portal Server User Profiles ae0su High The set of claims could not be mapped to a single user identity. Exception 3001002;reason=The incoming identity is not mapped
to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator. has occured. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication ae0tc High The registered mappered failed to resolve to one identity claim. Exception: Microsoft.Office.Server.Security.UserProfileNoUserFoundException:
3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator. at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
upManager, IEnumerable`1 identityClaims) at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0() at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
secureCode) at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims) at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri
contextUri, List`1 claims) f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication af3zp Unexpected STS Call Claims Saml: Problem getting output claims identity. Exception: 'Microsoft.Office.Server.Security.UserProfileNoUserFoundException:
3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator. at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
upManager, IEnumerable`1 identityClaims) at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0() at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
secureCode) at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims) at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri
contextUri, List`1 claims) at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims) at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri
contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity
outputIdentity, SPCallingIdentityType callerType) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
principal, RequestSecurityToken request, Scope scope)'. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: Microsoft.Office.Server.Security.UserProfileNoUserFoundException:
3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator. at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
upManager, IEnumerable`1 identityClaims) at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0() at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
secureCode) at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims) at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri
contextUri, List`1 claims) at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims) at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri
contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity
outputIdentity, SPCallingIdentityType callerType) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
principal, RequestSecurityToken request, Scope scope) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal
principal, RequestSecurityToken request) f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationServer). Execution Time=17.1551132895382 f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Claims Authentication fsq7 High SPSecurityContext: Request for security token failed with exception: System.ServiceModel.FaultException: The server was
unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in
order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message
response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken
rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: The server was unable to process the request due to an internal
error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to
the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Application Authentication Pipeline). Execution Time=52.3525336320678 f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Application Authentication ajezs High SPApplicationAuthenticationModule: Error authenticating request, Error details { Header: {0}, Body: {1} }. Available
parameters: 3001000;reason="There has been an error authenticating the request.";category="invalid_client" {"error_description":"The server was unable to process the request due to an internal error. For more information
about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as
per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."} . f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 8nca Medium Application error when access /sites/testrpa2/_vti_bin/client.svc, Error=The server was unable to process the request due to an internal
error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to
the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken
rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context,
Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationAuthentication(Uri context,
SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.<>c__DisplayClass4.<GetLocallyIssuedToken>b__3() at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated
secureCode) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.ConstructIClaimsPrincipalAndSetThreadIdentity(HttpApplication httpApplication, HttpContext httpContext, SPFederationAuthenticationModule fam)
at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.AuthenticateRequest(Object sender, EventArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly)). Execution Time=62.2890618779761 f5bd8793-a53c-2127-8485-418c67f110f6
Regards
Sakti -
Use of Authorizations Tab in User Account for Version 10
Whats the use of Authorizations Tab in User Account for Version 10. Please find the snapshot attached.
Hi Pawan,
SAP Sourcing 10 allow custom script and query-based web services which support OAuth authentication so
client consumer application will consume this web service and if the OAuth handshake is done successfully, then we can verify by going to the Authroizations tab of the User Account of the user that signed on to Sourcing/CLM and allowed the external program to access the particular webservice.
For more insights please refer the Web services cookbook of SAP Sourcing 10.
Hope it helps to some extent.
Best,
Kushagra A -
Tacacs+ authentication errors
I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?
Here is the config I have on the switch. (sorry should have sent this already).
aaa new-model
aaa authentication login default group tacacs+ none
aaa authentication login no_aaa none
aaa authorization exec default group tacacs+ none
aaa authorization exec no_aaa none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization commands 15 no_aaa none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
interface VLAN1
ip address 10.200.1.16 255.255.255.0
no ip directed-broadcast
no ip route-cache
ip tacacs source-interface VLAN1
tacacs-server host 10.200.35.250
tacacs-server key cisco
line con 0
authorization commands 15 no_aaa
authorization exec no_aaa
login authentication no_aaa
transport input none
stopbits 1
line vty 5 15 -
11g hybrid authentication / authorization: WLS plus external table
I've implemented external table authentication / authorization in 11g. Now I'd like to add a twist.
I have an external table containing users B, C, and D. That external table contains all of the columns I need for authentication (including a clear text password) and for authorization (roles, log level, a dynamic table name, and so forth). I have authentication in one initialization block, authorization in another. Everything works fine. I can log in as B, C, or D and see exactly what I'm supposed to see, based on the ROLES.
The clear text passwords are generally not a problem, because this is a training instance and almost all of the passwords are the same. However, I want to add a user whose password should not be held in clear text. For that reason, I'd like to add that user into WLS. I've done that, and I'm able to log in to OBIEE. After confirming that I could log in to OBIEE with user A from the WLS, I added User A to the external table, left its password field blank, and filled in the other columns (roles, loglevel, etc...) that I need to assign into session variables.
Here's the problem: the authorization init block properly assigns ALL session variables for users B, C, and D. It assigns all session varaibles EXCEPT the ROLES variable for user A. I've confirmed this by creating an Answers analysis that shows me the values of the session variables. The ROLES session variable for user A shows "authenticated-role;BIConsumer;AuthenticatedUser". For all other users (those who are authenticated using the clear text passwords in the external table) the ROLES variable is populated correctly, based on the values in the ROLES column in the external table. In short, the authorization init block is properly assigning the ROLES session variable only for those users that were authenticated using the authentication init block, but is assigning all other session variables correctly for all users, even the one in WLS.
Here's my authentication init block code:
select bi_user
from bi_auth_ldap
where bi_user = ':USER'
and bi_user_pwd = ':PASSWORD'
Here's the authorization init block code:
select roles, bi_user_name, to_number(loglevel,0), channel_tbl
from bi_auth_ldap
where bi_user = ':USER'
(returned results are assigned into ROLES, DISPLAYNAME, LOGLEVEL, and CHANNEL_TBL session variables, respectively)
It feels like the ROLES session variable is populated in conjuction with the user logging on and being authenticated via WLS, and that the initialization block isn't able to overwrite that variable. Can an OBIEE developer confirm that for us, please? Once set in WLS, is it not possible to overwrite the ROLES session variable with SQL from an initialization block? If it IS possible, can you post some code that will accomplish it?
Thanks!It occurs to me that Oracle's support model is a fantastic way to make money. Let's see, I wonder if I could become a billionaire doing this:
Create some software. Sell that software. Then, charge customers several thousand MORE dollars, year after year, plus about $60 per bug, so that they have the right to report MY bugs to me. Yeah, that's the ticket - people PAYING for the right to report bugs to me. Oh, and if more than one person reports the same bug, I get to keep ALL of the money from ALL of them.
Let's summarize, make sure I haven't missed something: You buy my software, you PAY ME additionally to report MY bugs to me, I don't necessarily have to fix the bugs (but I keep your money whether I fix it or not), and I can collect multiple times from different people who report the same bug.
Sweeeeeeet.........
Billionaire Acres, here I come! -
Authentication & Authorization programming
Hello all,
I am in process to create a new application, My requirement here is that I want to create a reusable module that I want to use for authentication & authorization. Further I want that when ever a user logs-in, his/her privileges get stored in the session and based on the data stored in the database s/he should be able to view the page and event the fields/components on it.
Can any one help me with the design of the above requirement.
Thanks in advance for the same.Hi,
if you want 2 applications share the same session you should give them the same login cookie name in the authentication scheme.
>
1. convey relevant values from the custom auth app (these cannot be one app)
>
Setup a database context to share values between the applications.
Or use apex_util.fetch_app_item http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35127/apex_util.htm#BABIBAID
>
2. make certain that users don't just bookmark the target app and bypass my authentication/authorization outcomes -- something here with session ID?
>
Set the URL for the "session not valid" section of the authentication scheme to the login page of your custom auth app
regards,
Erik-jan -
Authentication/Authorization across Apache/Weblogic?
Hello,
We are considering a setup with Apache handling Servlet/JSP and WLS for EJB/etc.
I heard WLS has some plug-in for Apache. Does this plug-in enable Authentication/Authorization
with my (custom RDBMS-based) security realm in WLS? Any gotcha? Any live experience?
TIA
chuckThis is what I did. My environment is openldap, weblogic 10.3 on a windows machine. Still having trouble
dn: cn=fd_user1,ou=people,dc=example,dc=com
objectClass: person
cn: fd_user1
dn: cn=FD,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: FD
member: cn=fd_user1,ou=people,dc=example,dc=com
Here is my weblogic.xml entries
<wls:security-role-assignment>
<wls:role-name>FD</wls:role-name>
<wls:externally-defined/>
</wls:security-role-assignment>
My web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>SecuredArea</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>FD</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>FD</role-name>
</security-role>
Inside the login.jsp I do have the j_security_check as the action parameter value. I am able to view the ldap users in the admin console too. Still not able to access the resource. I am in the process of debugging the ldap messages on the openldap console.
Thanks -
Hello awsome community
I am trying to wrap my head around a possible configuration issue where I am creating a "rancid" account to auto log into a cisco switch (2950/2960) with restricted access. The problem is I cannot seem to restrict the access verry well, the rancid user has all the access it wants
Tacacs Config Snippit:
group = rancid {
default service = deny
service = exec {
priv-lvl = 15
cmd = show {
permit .*
cmd = exit {
permit .*
cmd = dir {
permit .*
cmd = write {
permit term
Cisco AAA Configuration:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Is there something I am missing or not accuratly setting up to restrict access to *only* the commands listed in the Tacacs Configs?Found the issue \o/
I lacked some authorization commands, added the following fixed this issue:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
Maybe you are looking for
-
Since I changed my laptop to the new version of Firefox it crashes EVERY time the college internet tries to sign on for authorization. It never did this with the previous version. What is supposed to happen is it opens a page that asks me to click "I
-
Password not shown in asterisk
I have a device with a problem: When i try to unlock the blackberry , the password is shown in clear letters not in asterisks. Even if typing in the right password, it doesnt get accepted. And it's asking me to type in "blackberry"
-
Updating contents of PSE 13 Organizer
Is there a quick, batch process to update the contents of the Organizer for all images that have been renamed, deleted or moved to different folders?
-
I bought S5 for unlimited dual video recording. Now will return because a 10 min limit is imposed. Who knows where and under what temperature I am operating. This is foolish. On my motorcycle handlebars it will be cooled just fine at 70 MPhil an
-
Report: Fetching data more time
HI, My report is facing the performance issue. Actually for a PO I am getting the BELNR from the EKBE. for all the BELNR in EKBE where BWTYP = 'Q'. I need to get the Invoice No. This I am fetching from BKPF based on AWKEY as input. When I saw in debu