Tacacs+ authentication/authorization based on user's subnet

Hi Guys/Girls
We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
Your feedback will be appreciated and rated.
Thanks
Rizwan Rafeek

Riswan,
This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
Here is an example of how the tacacs authentication is performed.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • Tacacs authentication fails for one user account for only one switch

    Hi,
    I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
    The same user account works well for other devices.
    The AAA configs are same on every devices in the network.
    Heres the show tacacs output from the switch where only one user account fails;
                  Socket opens:        157
                 Socket closes:        156
                 Socket aborts:        303
                 Socket errors:          1
               Socket Timeouts:          2
       Failed Connect Attempts:          0
            Total Packets Sent:       1703
            Total Packets Recv:       1243
              Expected Replies:          0
    What could be the reason ?
    No errors on ACS server; same rights had been given to the user account.
    Thanks to advise.
    Prasey

    Hi there,
    Does the user get authenticated in the ACS logs?
    reports and activity----> failed attempts
    ro
    reports and activity----->  passed authentications
    That will help narrow it down.
    Brad

  • Purchasing group authorization based on user

    Hi All,
    Can anyone suggest me ideas on how to restrict in accessing details of a PO for a purchasing group based on the user who tries to access it .
    the object is M-BEST_EKG.
    need guidance in using AUTHORITY_CHECK in restriciting PO group based on the userid.
    how are the users assigned to the authorization object ?
    Thanks in advance.
    Regards,
    Ry

    Hi Roby,
    I think you can control authorization using transaction PFCG.
    refer below SAP link for details on authorization. May help you.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
    Regards,
    Atish

  • Ask for help with form based authentication & authorization

    Hi:
    I encountered the following problem when I tried the form based authentication & authorization (see the attached part of the config files, web.xml, weblogic.xml & weblogic.properties)
    1. authorization seems not invoked against the rules specfied, it doesn't go the login error page as long as the user/pwd match, even though the user does not have the necessary role
    in the example below, user3 should be denied to access the signin page, but seems no login error page returned, actually I never see any page / error message which complain about the authorization / access control error
    2. after authenticate correctly, always get redirected to the / (context root) url, instead of the url prior the login page, for e.g., signin page
    Any idea ?
    Thanks in advance.
    HaiMing
    attach config files
    web.xml
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>MySecureBit1</web-resource-name>
    <description>no description</description>
    <url-pattern>/control/signin</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
    <form-login-page>/control/formbasedlogin</form-login-page>
    <form-error-page>/control/formbasedloginerror</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <description>the customer role</description>
    <role-name>customer</role-name>
    </security-role>
    weblogic.xml
    <security-role-assignment>
    <role-name>
    customer
    </role-name>
    <principal-name>
    customer_group
    </security-role-assignment>
    weblogic.properties
    weblogic.password.user1=user1pass
    weblogic.password.user2=user2pass
    weblogic.password.user3=user3pass
    weblogic.security.group.customer_group=user1,user2

    Hi, Paul:
    Thanks a lot for your reply.
    Firstly let me just correct a little in the attachment I put previously, I think I missed following lines :
    <auth-constraint>
    <description>no description</description>
    <role-name>customer</role-name>
    </auth-constraint>
    So, user1 & user2 are in the customer group, but user3 not, and /control/singin is protected by this security constraint, as a result, when anyone click the link to /control/singin, he was led to the login page, if he tries to login as user1 & user2, he should pass & led to original page (in this case /control/singin, and my code's logic, once /control/signin is used, means that he already login successfully & redirected to the login success page), but if he tries to login as user3, he should only pass the authentication check, but fail the authorization check, and led to login error page.
    What not happen are :
    1. user1 & user2 pass, but redirect to /
    2. user3 also pass, because I see that debug message shows also get redirected to /, instead of login error page
    (login error page will be displayed, only if I try to login as a user with either wrong userid, or wrong password)
    3. one more thing I notice after I first time post the message, the container does not remember the principal, after 1. is done, not even for a while
    And the similar configuration works under Tomcat 3.2.1, for all 3. mentioned above.
    Any idea ?
    HaiMing
    "Paul Patrick" <[email protected]> wrote:
    If I understand what your trying to do, everyone should get access to the
    login page since roles are not
    associated with principals until after they authenticate. If I follow what
    you specified in the XML files,
    authenticated users user1 and user2 are members of a group called
    customer_group.
    The principal customer_group (and therefore its members) is mapped in the
    weblogic.xml file to the role
    customer.
    I can't speak to the reason your being redirected to the document root.
    Paul Patrick
    "HaiMing" <[email protected]> wrote in message
    news:[email protected]...
    Hi:
    I encountered the following problem when I tried the form basedauthentication & authorization (see the attached part of the config files,
    web.xml, weblogic.xml & weblogic.properties)
    1. authorization seems not invoked against the rules specfied, itdoesn't go the login error page as long as the user/pwd match, even though
    the user does not have the necessary role
    in the example below, user3 should be denied to access the signinpage, but seems no login error page returned, actually I never see any page
    / error message which complain about the authorization / access control
    error
    2. after authenticate correctly, always get redirected to the / (contextroot) url, instead of the url prior the login page, for e.g., signin page
    Any idea ?
    Thanks in advance.
    HaiMing
    attach config files
    web.xml
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>MySecureBit1</web-resource-name>
    <description>no description</description>
    <url-pattern>/control/signin</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
    <form-login-page>/control/formbasedlogin</form-login-page>
    <form-error-page>/control/formbasedloginerror</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <description>the customer role</description>
    <role-name>customer</role-name>
    </security-role>
    weblogic.xml
    <security-role-assignment>
    <role-name>
    customer
    </role-name>
    <principal-name>
    customer_group
    </security-role-assignment>
    weblogic.properties
    weblogic.password.user1=user1pass
    weblogic.password.user2=user2pass
    weblogic.password.user3=user3pass
    weblogic.security.group.customer_group=user1,user2

  • Authentication and authorization for AD users in UCM11g

    Hi all
    we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
    Thanks
    Somesh

    As you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
    As for SSO, refer to the:
    http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
    and
    http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
    Procedure steps are:
    Create a user account for the hostname of the web server machine in Active Directory
    Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
    Generate the keytab file
    Create a JAAS Login File named krb5Login.conf
    Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
    Configure the Identity Assertion Provider
    Adjust Weblogic Server startup arguments for Kerberos authentication
    Redeploy CS (and optionally other servers) server with the documentation given deployment plan
    Check web browser configuration (IE and Firefox only)
    Take a deep breath and test
    If successful have a cake and cup of coffee else goto step one
    Regards,
    Boris

  • BI Bex Query prompt based on User's Authorization....

    Hi
    In BI, I created 1 BEx Query based on Authorization. If a user runs the query, it prompts for 'Customer Name' to get data of particular customer. And Customer values are populated in the prompt based on User's Authorization.
    For example:
    User1 is authorized to see data of Customer1 & Customer2. So, Query prompt will show 2 values: 'Customer1' & 'Customer2'.
    But User2 is authorized to see data of Customer1, so Query prompt will show 'Customer1' only.
    I created 2 variables on Customer field:
    1) Authorization Variable in Filter Section
    2) Manual, Single Entry, Mandatory on Default Value section.
    My Requirement:
    If user is authorized to link with only 1 Customer, he should not get prompt & on the background prompt value should be populated from his authorization value. But if user is authorized to see multi-customers, then prompt should appear.
    If possible pls. provide some suggestions....
    Thanks...

    Yes, this can be done.
    but there is little work around.. Using guided navigations
    1. Create a report with column fx as case when 1=0 then markets.region else user() end
    2. apply filter on this column is equal to User_1
    3. Create another report with column fx as case when 1=0 then markets.region else user() end
    4. apply filter on this column is equal to User_2
    5. Now add all your prompts to dashboard, but each prompt should in each section object of dashboard.
    6. For first section click on section properties, go to Guided Navigation...
    7. Browse Source Request as first report.. and keep If request returns rows selected.
    8. Repeat above step for another section.. but this time browse 2nd report.
    9. Just save dashboard.
    Check now..
    Hope you understood..
    Regards
    Kishore Guggilla
    Edited by: Kishore Guggilla on Feb 18, 2009 12:57 PM

  • Assigning different authorization to same user based on Query

    Hi experts,
    I am redefining my issue,
    Is there any way i can assign different authorizations to the same user but based on either Query/Workbook.
    lets say i have two Analysis authorizations A & B and two Queries X and Y.
    If the Query/Workbook is X then Add Authorization A to user ABC.
    else if the Query/Workbook is Y then Add authorization B to user ABC.
    this is because i have two set of workbooks the same user can access and authorization for these two set is different based on the workbook.
    I tried using the auth objects 0TCTWORKBK,0TCTQUERID OR 0TCTQUERY but no success so far.
    thank in advance.
    Edited by: youmenbi on Feb 12, 2008 1:20 AM
    Edited by: youmenbi on Feb 12, 2008 1:31 AM

    Hi
    We have set same kind of authorizations based on the users. The Cost Center Manager is assigned a role and the authorizations for each of the Report/Layout/Workbook is based on his/her profile...some are Read only, some or Read & Write...etc.
    If you go through that route......and assign each of the Reports/Layouts/Workbooks to Users....you may succeed.
    I know it is a bit time consuming but that is one alternative we could think of as it addressed seamlessly any changes in CC Managers.
    Regards
    Srinivas

  • How to display screens (tabs) based on user authentication

    hi
    i am new to jheadstart, i want to display screens (tabs) based on users, ie if i have screens of dept, grade, desig, group, type, master etc..
    if user is admin display all the items in tab,
    if user 1 then display only dept, grade, desig
    if user2 then other settings....etc
    how to do this pls help,,,,,
    thx in adv
    Kris

    Kris,
    If you upgrade to JHeadstart 10.1.2.2 (requires a license), you will get built-in support for user authenrication and authorization including showing tabs based on the role. 10.1.2.2. ships with a demo app that uses all these features.
    Steven Davelaar,
    JHeadstart Team.

  • SharePoint Designer workflow gives Claims Authentication error for some users. Problem getting output claims identity. The specified user or domain group was not found.

    We have a SharePoint Enterprise 2013 system at RTM level.  We've installed Workflow Manager 1.0 by following the steps at
    http://technet.microsoft.com/en-us/library/jj658588.aspx.  For the final step of Validating the Installation we created a simple list-level workflow and verified that the workflow
    is invoked successfully.  This is working successfully, but only for a single user.  If other users in the same site collection try to invoke the workflow on this same list we get the ULS Log Error:
    Claims Authentication          af3zp Unexpected STS Call Claims Saml: Problem getting output claims identity. Exception: 'Microsoft.SharePoint.SPException: The specified user or domain group was not found. --->
    System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
    followed by:
    Failed to issue new security token. Exception: Microsoft.SharePoint.SPException: The specified user or domain group was not found. ---> System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
    (as details below).
    All accounts that are attempting to use the Test Workflow (both working and non-working user accounts) are valid AD accounts and are included in the User Profile Sync that runs nightly.  All have Contribute or Design permission level (and for testing,
    Full Control). 
    What could cause the Claims Authentication to fail when certain users attempt to launch the workflow?
    Thank you for your response.
    Jim Mac.
    08/29/2013 10:22:51.94  w3wp.exe (0x2020)                        0x26D8 SharePoint Foundation        
     Claims Authentication          af3zp Unexpected STS Call Claims Saml: Problem getting output claims identity. Exception: 'Microsoft.SharePoint.SPException: The specified user or domain group was
    not found. ---> System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.     at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType,
    Boolean forceSuccess)     at System.Security.Principal.NTAccount.Translate(Type targetType)     at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdentity,
    SPClaim loginClaim)     --- End of inner exception stack trace ---     at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdent... 94aa5c2d-fa45-9b83-b203-a92b20102583
    08/29/2013 10:22:51.94* w3wp.exe (0x2020)                        0x26D8 SharePoint Foundation        
     Claims Authentication          af3zp Unexpected ...ity, SPClaim loginClaim)     at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String
    encodedIdentityClaimSuffix)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.CreateTokenCacheReferenceFromTokenSignature(SPRequestInfo requestInfo, IClaimsIdentity identity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentTokenCacheReferenceClaim(SPRequestInfo
    requestInfo, IClaimsIdentity identity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
    principal, RequestSecurityToken request, Scope scope)'. 94aa5c2d-fa45-9b83-b203-a92b20102583
    08/29/2013 10:22:51.94  w3wp.exe (0x2020)                        0x26D8 SharePoint Foundation        
     Claims Authentication          fo1t Monitorable STS Call: Failed to issue new security token. Exception: Microsoft.SharePoint.SPException: The specified user or domain group was not found. --->
    System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.     at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)    
    at System.Security.Principal.NTAccount.Translate(Type targetType)     at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdentity, SPClaim loginClaim)    
    --- End of inner exception stack trace ---     at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKeyClaim(IClaimsIdentity claimsIdentity, SPClaim logi... 94aa5c2d-fa45-9b83-b203-a92b20102583
    08/29/2013 10:22:51.94* w3wp.exe (0x2020)                        0x26D8 SharePoint Foundation        
     Claims Authentication          fo1t Monitorable ...nClaim)     at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String encodedIdentityClaimSuffix)    
    at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.CreateTokenCacheReferenceFromTokenSignature(SPRequestInfo requestInfo, IClaimsIdentity identity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentTokenCacheReferenceClaim(SPRequestInfo
    requestInfo, IClaimsIdentity identity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
    principal, RequestSecurityToken request, Scope scope)     at Microsoft.IdentityModel.Securi... 94aa5c2d-fa45-9b83-b203-a92b20102583
    08/29/2013 10:22:51.94* w3wp.exe (0x2020)                        0x26D8 SharePoint Foundation        
     Claims Authentication          fo1t Monitorable ...tyTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal
    principal, RequestSecurityToken request) 94aa5c2d-fa45-9b83-b203-a92b20102583

    Hi Aries,
    I am facing issue with work flow where Workflow goes to Suspend mode.
    I am facing an issue with SP2013 Custom Workflow developed using Visual Studio 2012.
    Objective of the Custom workflow: User fills the form and submit, list get updated and workflow will initiate and go for the process.
    Issue: After the deployment of WF, for first time when user is filling the form and submit, list is getting updated. But the Workflow Goes to "Suspend" mode. (
    This Custom Workflow has a configuration file where we are providing other details including ID of Impersonator (farm is running under Claim Based Authentication).
    Work flow works fine once when the Impersonator initiate the workflow (Fill the form and submit for approval) and everything works fine after that.
    Following steps are already performed
    1.Make sure User profile synchronization is started.
    2.Make sure the user is not the SharePoint system user.
    3.Make sure the user by whom you are logged is available in User Profile list.
    4.Step full synchronization of User Profile Application.
    From the ULS logs it seems the user's security token from the STS service and User profile service is not being issued.
    Appreciate any thoughts or solution.
    Following are the log files.
    <-------------------------------Information taken from "http://YYYY.XXXXX.com/sites/xxxx/_layouts/15/wrkstat.aspx" where it is showing workflow status as "Suspend"------->
    http://yyyy.XXXX.com/sites/xxxx/_vti_bin/client.svc/sp.utilities.utility.ResolvePrincipalInCurrentcontext(input=@ParamUser,scopes='15',sources='15',inputIsEmailOnly='false',addToUserInfoList='False')?%40ParamUser='i%3A0%23.w%7CXXXXX%5Csps_biscomdev'
    Correlation Id: f5bd8793-a53c-2127-bfb1-70bc172425e8 Instance Id: 14a985a0-60c8-42db-a42c-c752190b8106
    RequestorId: f5bd8793-a53c-2127-0000-000000000000. Details: RequestorId: f5bd8793-a53c-2127-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401
    {"error_description":"The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug>
    configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."} {"x-ms-diagnostics":["3001000;reason=\"There
    has been an error authenticating the request.\";category=\"invalid_client\""],"SPRequestGuid":["f5bd8793-a53c-2127-8654-672758a68234"],"request-id":["f5bd8793-a53c-2127-8654-672758a68234"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["34"],"SPIisLatency":["0"],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["Bearer
    realm=\"b14e1e0f-257f-42ec-a92d-377479e0ec8d\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,[email protected]79e0ec8d\"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
    RequireReadOnly"],"Date":["Fri, 10 Apr 2015 19:48:07 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
    instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
    ULS Log
    04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Authentication Authorization agb9s Medium OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Runtime ajd6k Verbose Value for isAnonymousAllowed is : False f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Runtime ajd6l Verbose Value for checkAuthenticationCookie is : True f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.70 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly)). Execution Time=18.7574119057031 f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.71 w3wp.exe (0x1C74) 0x1AB8 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.73 PowerShell.exe (0x29BC) 0x2B9C SharePoint Foundation General narq Verbose Releasing SPRequest with allocation Id {AF89E1D7-C47F-467B-8FD4-D7DC768820EE} 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly)). Parent No 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. 
    04/16/2015 15:22:03.73 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly) f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Application Authentication Pipeline). Parent Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly) f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.74 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Claims Authentication ah25l Medium SPJsonWebSecurityBaseTokenHandler: ValidateActorIsSelfIssuer! Issuer '00000005-0000-0000-c000-000000000000' is not self
    issuer. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Getting Site Subscription Id). Parent [S2S] Getting token from STS and setting Thread Identity f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Getting Site Subscription Id). Execution Time=0.341314329055788 f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.75 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Reading token from Cache using token signature). Parent [S2S] Getting token from STS and setting Thread
    Identity f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General ajji6 High Unable to write SPDistributedCache call usage entry. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Reading token from Cache using token signature). Execution Time=7.5931438213516 f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Application Authentication ajwpx Medium SPApplicationAuthenticationModule: Failed to build cache key for user  f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.76 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Topology aeayb Medium SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel:
    'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:fd5eba94-c39d-4667-89bd-089411c87f09' f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.77 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Topology aeax9 Medium SecurityTokenServiceReceiveRequest: LocalAddress: 'http://c1vspwfe01.vitas.com:32843/SecurityTokenServiceApplication/securitytoken.svc'
    Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:fd5eba94-c39d-4667-89bd-089411c87f09' f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.77 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (ExecuteSecurityTokenServiceOperationServer). Parent No f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication ah25l Medium SPJsonWebSecurityBaseTokenHandler: ValidateActorIsSelfIssuer! Issuer '00000005-0000-0000-c000-000000000000' is not self
    issuer. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General narq Verbose Releasing SPRequest with allocation Id {F17590DF-49D9-439D-86BC-5AE6416BB765} f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8b Verbose Looking up  site
    http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation General narq Verbose Releasing SPRequest with allocation Id {3847D5A4-15C6-4AF9-B062-E22BB555DF4F} f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Portal Server User Profiles ae0s1 High Identity claims mapped to '0' user profiles. Claims: [nameid: '', nii: 'windows', upn: '', smtp: '', sip: ''], User Profiles: f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Portal Server User Profiles ae0sr Unexpected UserProfileException caught.. Exception Microsoft.Office.Server.Security.UserProfileNoUserFoundException: 3001002;reason=The
    incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
    upManager, IEnumerable`1 identityClaims)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0() is thrown. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Portal Server User Profiles ae0su High The set of claims could not be mapped to a single user identity. Exception 3001002;reason=The incoming identity is not mapped
    to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator. has occured.  f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication ae0tc High The registered mappered failed to resolve to one identity claim. Exception: Microsoft.Office.Server.Security.UserProfileNoUserFoundException:
    3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
    upManager, IEnumerable`1 identityClaims)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0()     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()    
    at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
    secureCode)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri
    contextUri, List`1 claims) f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication af3zp Unexpected STS Call Claims Saml: Problem getting output claims identity. Exception: 'Microsoft.Office.Server.Security.UserProfileNoUserFoundException:
    3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
    upManager, IEnumerable`1 identityClaims)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0()     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()    
    at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
    secureCode)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri
    contextUri, List`1 claims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri
    contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity
    outputIdentity, SPCallingIdentityType callerType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)    
    at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
    principal, RequestSecurityToken request, Scope scope)'. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.78 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: Microsoft.Office.Server.Security.UserProfileNoUserFoundException:
    3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager
    upManager, IEnumerable`1 identityClaims)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0()     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()    
    at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated
    secureCode)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri
    contextUri, List`1 claims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri
    contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity
    outputIdentity, SPCallingIdentityType callerType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)    
    at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal
    principal, RequestSecurityToken request, Scope scope)     at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal
    principal, RequestSecurityToken request) f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x0C48) 0x1318 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationServer). Execution Time=17.1551132895382 f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Claims Authentication fsq7 High SPSecurityContext: Request for security token failed with exception: System.ServiceModel.FaultException: The server was
    unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in
    order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message
    response)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken
    rst)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: The server was unable to process the request due to an internal
    error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to
    the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Application Authentication Pipeline). Execution Time=52.3525336320678 f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Application Authentication ajezs High SPApplicationAuthenticationModule: Error authenticating request, Error details { Header: {0}, Body: {1} }.  Available
    parameters: 3001000;reason="There has been an error authenticating the request.";category="invalid_client" {"error_description":"The server was unable to process the request due to an internal error.  For more information
    about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as
    per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."} . f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 8nca Medium Application error when access /sites/testrpa2/_vti_bin/client.svc, Error=The server was unable to process the request due to an internal
    error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to
    the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken
    rst, RequestSecurityTokenResponse& rstr)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context,
    Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationAuthentication(Uri context,
    SecurityToken onBehalfOf)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.<>c__DisplayClass4.<GetLocallyIssuedToken>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated
    secureCode)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.ConstructIClaimsPrincipalAndSetThreadIdentity(HttpApplication httpApplication, HttpContext httpContext, SPFederationAuthenticationModule fam)    
    at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.AuthenticateRequest(Object sender, EventArgs e)     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()    
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.79 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8b Verbose Looking up context  site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in the farm SharePoint_Config_QA f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8d Verbose Looking up the additional information about the typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8f Verbose Site lookup is replacing
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly with the alternate access url
    http://inetdev. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8g Verbose Looking up typical site
    http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation General 6t8h Verbose Found typical site /sites/testrpa2 (407ba20c-079b-4b99-9e70-f86e6e13ddde) in web application SPWebApplication Name=SPDEV - 80. f5bd8793-a53c-2127-8485-418c67f110f6
    04/16/2015 15:22:03.80 w3wp.exe (0x1C74) 0x183C SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://inetdev:80/sites/testrpa2/_vti_bin/client.svc/site/ReadOnly)). Execution Time=62.2890618779761 f5bd8793-a53c-2127-8485-418c67f110f6
    Regards
    Sakti

  • Use of Authorizations Tab in User Account for Version 10

    Whats the use of Authorizations Tab in User Account for Version 10. Please find the snapshot attached.

    Hi Pawan,
    SAP Sourcing 10 allow custom script and query-based web services which support OAuth authentication so
    client consumer application will consume this web service and if the OAuth handshake is done successfully, then we can verify by going to the Authroizations tab of the User Account of the user that signed on to Sourcing/CLM and allowed the external program to access the particular webservice.
    For more insights please refer the Web services cookbook of SAP Sourcing 10.
    Hope it helps to some extent.
    Best,
    Kushagra A

  • Tacacs+ authentication errors

    I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?

    Here is the config I have on the switch. (sorry should have sent this already).
    aaa new-model
    aaa authentication login default group tacacs+ none
    aaa authentication login no_aaa none
    aaa authorization exec default group tacacs+ none
    aaa authorization exec no_aaa none
    aaa authorization commands 1 default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    aaa authorization commands 15 no_aaa none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    interface VLAN1
    ip address 10.200.1.16 255.255.255.0
    no ip directed-broadcast
    no ip route-cache
    ip tacacs source-interface VLAN1
    tacacs-server host 10.200.35.250
    tacacs-server key cisco
    line con 0
    authorization commands 15 no_aaa
    authorization exec no_aaa
    login authentication no_aaa
    transport input none
    stopbits 1
    line vty 5 15

  • 11g hybrid authentication / authorization: WLS plus external table

    I've implemented external table authentication / authorization in 11g. Now I'd like to add a twist.
    I have an external table containing users B, C, and D. That external table contains all of the columns I need for authentication (including a clear text password) and for authorization (roles, log level, a dynamic table name, and so forth). I have authentication in one initialization block, authorization in another. Everything works fine. I can log in as B, C, or D and see exactly what I'm supposed to see, based on the ROLES.
    The clear text passwords are generally not a problem, because this is a training instance and almost all of the passwords are the same. However, I want to add a user whose password should not be held in clear text. For that reason, I'd like to add that user into WLS. I've done that, and I'm able to log in to OBIEE. After confirming that I could log in to OBIEE with user A from the WLS, I added User A to the external table, left its password field blank, and filled in the other columns (roles, loglevel, etc...) that I need to assign into session variables.
    Here's the problem: the authorization init block properly assigns ALL session variables for users B, C, and D. It assigns all session varaibles EXCEPT the ROLES variable for user A. I've confirmed this by creating an Answers analysis that shows me the values of the session variables. The ROLES session variable for user A shows "authenticated-role;BIConsumer;AuthenticatedUser". For all other users (those who are authenticated using the clear text passwords in the external table) the ROLES variable is populated correctly, based on the values in the ROLES column in the external table. In short, the authorization init block is properly assigning the ROLES session variable only for those users that were authenticated using the authentication init block, but is assigning all other session variables correctly for all users, even the one in WLS.
    Here's my authentication init block code:
    select bi_user
    from bi_auth_ldap
    where bi_user = ':USER'
    and bi_user_pwd = ':PASSWORD'
    Here's the authorization init block code:
    select roles, bi_user_name, to_number(loglevel,0), channel_tbl
    from bi_auth_ldap
    where bi_user = ':USER'
    (returned results are assigned into ROLES, DISPLAYNAME, LOGLEVEL, and CHANNEL_TBL session variables, respectively)
    It feels like the ROLES session variable is populated in conjuction with the user logging on and being authenticated via WLS, and that the initialization block isn't able to overwrite that variable. Can an OBIEE developer confirm that for us, please? Once set in WLS, is it not possible to overwrite the ROLES session variable with SQL from an initialization block? If it IS possible, can you post some code that will accomplish it?
    Thanks!

    It occurs to me that Oracle's support model is a fantastic way to make money. Let's see, I wonder if I could become a billionaire doing this:
    Create some software. Sell that software. Then, charge customers several thousand MORE dollars, year after year, plus about $60 per bug, so that they have the right to report MY bugs to me. Yeah, that's the ticket - people PAYING for the right to report bugs to me. Oh, and if more than one person reports the same bug, I get to keep ALL of the money from ALL of them.
    Let's summarize, make sure I haven't missed something: You buy my software, you PAY ME additionally to report MY bugs to me, I don't necessarily have to fix the bugs (but I keep your money whether I fix it or not), and I can collect multiple times from different people who report the same bug.
    Sweeeeeeet.........
    Billionaire Acres, here I come!

  • Authentication & Authorization programming

    Hello all,
    I am in process to create a new application, My requirement here is that I want to create a reusable module that I want to use for authentication & authorization. Further I want that when ever a user logs-in, his/her privileges get stored in the session and based on the data stored in the database s/he should be able to view the page and event the fields/components on it.
    Can any one help me with the design of the above requirement.
    Thanks in advance for the same.

    Hi,
    if you want 2 applications share the same session you should give them the same login cookie name in the authentication scheme.
    >
    1. convey relevant values from the custom auth app (these cannot be one app)
    >
    Setup a database context to share values between the applications.
    Or use apex_util.fetch_app_item http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35127/apex_util.htm#BABIBAID
    >
    2. make certain that users don't just bookmark the target app and bypass my authentication/authorization outcomes -- something here with session ID?
    >
    Set the URL for the "session not valid" section of the authentication scheme to the login page of your custom auth app
    regards,
    Erik-jan

  • Authentication/Authorization across Apache/Weblogic?

    Hello,
    We are considering a setup with Apache handling Servlet/JSP and WLS for EJB/etc.
    I heard WLS has some plug-in for Apache. Does this plug-in enable Authentication/Authorization
    with my (custom RDBMS-based) security realm in WLS? Any gotcha? Any live experience?
    TIA
    chuck

    This is what I did. My environment is openldap, weblogic 10.3 on a windows machine. Still having trouble
    dn: cn=fd_user1,ou=people,dc=example,dc=com
    objectClass: person
    cn: fd_user1
    dn: cn=FD,ou=groups,dc=example,dc=com
    objectClass: groupOfNames
    cn: FD
    member: cn=fd_user1,ou=people,dc=example,dc=com
    Here is my weblogic.xml entries
    <wls:security-role-assignment>
    <wls:role-name>FD</wls:role-name>
    <wls:externally-defined/>
    </wls:security-role-assignment>
    My web.xml
    <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>SecuredArea</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>FD</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>myrealm</realm-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/login.jsp</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <role-name>FD</role-name>
    </security-role>
    Inside the login.jsp I do have the j_security_check as the action parameter value. I am able to view the ldap users in the admin console too. Still not able to access the resource. I am in the process of debugging the ldap messages on the openldap console.
    Thanks

  • Tacacs Command Authorization

    Hello awsome community
    I am trying to wrap my head around a possible configuration issue where I am creating a "rancid" account to auto log into a cisco switch (2950/2960) with restricted access. The problem is I cannot seem to restrict the access verry well, the rancid user has all the access it wants
    Tacacs Config Snippit:
    group = rancid {
    default service = deny
    service = exec {
    priv-lvl = 15
    cmd = show {
    permit .*
    cmd = exit {
    permit .*
    cmd = dir {
    permit .*
    cmd = write {
    permit term
    Cisco AAA Configuration:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication login console group tacacs+ local
    aaa authentication enable default group tacacs+
    aaa authorization console
    aaa authorization exec default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    Is there something I am missing or not accuratly setting up to restrict access to *only* the commands listed in the Tacacs Configs?

    Found the issue \o/
    I lacked some authorization commands, added the following fixed this issue:
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+
    aaa authorization commands 15 default group tacacs+

Maybe you are looking for

  • New Firefox version will no longer connect to my college's internet It NEVER had a problem with connecting before.

    Since I changed my laptop to the new version of Firefox it crashes EVERY time the college internet tries to sign on for authorization. It never did this with the previous version. What is supposed to happen is it opens a page that asks me to click "I

  • Password not shown in asterisk

    I have a device with a problem: When i try to unlock the blackberry , the password is shown in clear letters not in asterisks. Even if typing in the right password, it doesnt get accepted. And it's asking me to type in "blackberry"

  • Updating contents of PSE 13 Organizer

    Is there a quick, batch process to update the contents of the Organizer for all images that have been renamed, deleted or moved to different folders?

  • Dual video record limited

    I bought S5 for unlimited dual video recording.   Now will return because a 10 min limit is imposed.  Who knows where and under what temperature I am operating.  This is foolish.  On my motorcycle handlebars it will be cooled just fine at 70 MPhil an

  • Report: Fetching data more time

    HI, My report is facing the performance issue. Actually for a PO I am getting the BELNR from the EKBE. for all the BELNR in EKBE where BWTYP = 'Q'. I need to get the Invoice No. This I am fetching from BKPF based on AWKEY as input. When I saw in debu