Third Party Authentication

Hi,
I have been trying unsuccessfully to configer SiteMinder and 9iAS in the following configuration :
9iAS, Portal and Database on an HP-UX Server
Netegrity SiteMinder 5.5 on Windows NT
I successfully did the verified direct integration with SiteMinder 4.5 (ssoxnete, ssonete) with the SiteMinder WebAgent loaded into the 9iAS Apache.
However SiteMinder are going to desupport 4.5 at the end of the year and I can't move to 9iAS R2 as I have some Oracle E-Business Apps integration.
What I am trying to do is configure SiteMinder 5.5 with its own Apache on the NT server and integrate the SiteMinder Apache with the 9iAS Apache to enable the authentication to be passed through.
I am unable to get the sessions information SiteMinder sets in the browser to be picked up by 9iAS, I have tried setting up proxy passes, reverse proxies etc. unsuccessfully.
If any one has done this, or has any suggestions I would really appreciate it (running out of ideas).
Regards
Stephen Gunn

Just config AccessManager to use AD or others to authenticate the users.

Similar Messages

Third-Party Authentication: Search User identity problem

I have installed OpenSSO agent on my SGD server. I have followed this doc: http://wikis.sun.com/display/SecureGlobalDesktop/HOWTO+Use+OpenSSO+With+SGD
Everything works except the part where the SGD server tries to map the username with the Local+LDAP repository
I have enabled the Third-Party Authentication and selected the option: "Search the User Identity in the LDAP Repository and use the closest matching LDAP Profile from the Local Repository"
I have also kept the already working System Authentication (Active Directory) enabled
I have 2 problems:
1 - If the user does not exist in local directory (but exists in the active directory) the user is not automatically logged (the login screen of sgd appears).
In the log file (catalina.out) I have an "Invalid credentials" message.
The user is then able to log on manually.
2 - If the user exists in both directories (local and Active Directory) the user is automatically logged-in but the profile is not the same. (the application list is different and the client settings are reset)
I have checked the open session on the Administration console and I see a difference in the case of the User identity.
If I log manually I will see "DC=COM / DC=DOMAIN / CN=User Name (LDAP)" (this is the right user)
If I log with opensso I will see "DC=com / DC=domain / CN=User Name (LDAP)"
I can log on with both at the same time, SGD seems to consider it like two different users.
Thanks

Hi,
You need to create at least one high level "LDAP Profile" user profile in the SGS ENS.
Regards,
Arno Staal
Divider B.V.

OAAM Integration with Third Party Authentication tool

Hi Guys,
In our project we are planning to integrate OAAM11GR2 with OIM11GR2 and OAM11GR2 through Advanced integration. We have a requirement to call a third party authentication service from OAAM as a step up authentication for a particular user base (based on the group membership). Kindly suggest if this requirement is feasible and if you can provide any pointers to implement this requirement.
Thanks

Yes, you can use third party step up authentication.
You can customize the challenge flow. Here is the link.
http://docs.oracle.com/cd/E28389_01/doc.1111/e15480/igotp.htm
(It is for 11gR1 but same applies to 11gR2)

SGD with Third Party Authentication issue

Hi
I am trying to setup SGD with Third Party Authentication and have done all the requisites for this.
I input the SGD URL and get the Third Party Login page but after I input my credentials, I get redirected to the SGD default login page which should not be the case. I had already set "Tomcat Authentication" as false in server.xml and enabled the Third Party authentication scheme in Array Manger
What else am I missing ?
Kindly advise
SGD ver4.31
Thanks

Every now and then I have found the same. One thing that almost always solved the problem was recreating a new trusted user, you can follow the steps from:
[http://docs.sun.com/source/820-1088/trusted_users.html|http://docs.sun.com/source/820-1088/trusted_users.html]
Especially the step to test the trusted_user is a very good test to see if the trusted user is ok: http://server/axis/services/rpc/externalauth
When prompted, log in as the trusted user.
An other way to test it is via the api-test functionality: http://server/sgd/admin/apitest/
First setup a session: webtopsession->startSession(0)
Then authenticate via externalauth->setSessionIdentity
These steps are the minimal steps to perform 3rdParty Authentication
(There is also an example jsp for 3rd Party Authentication on the wikis.sun: [http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)|http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)] )
- Remold

3rd party authentication before ACS (TACACS+) auth

Dear experts,
I've been struggling to find out information on 3rd party authentication integration to the ACS. I know that ACS can use external databases, but this is not what I'm looking for.
I have someone, who wishes to use ACS for user authentication and at the same time develop real single sign-on to their corporate infrastructure. I have the product that can deliver this Single Sign-On, but thus far I've been able to reduce Sign-Ons to two (ACS and then Single Sign-On).
What I would like to know is, that can I implement a third party authentication _before_ ACS authentication. In this scenario the 3rd party authentication server would be the first point of contact. After successfully receiving the user credentials from the user, the authentication server would forward this inforamtion to ACS. So is there any kind of descriptions / API documentation on how to implement this? If this is possible, my customer could get real single sign-on to multitude of Intranet services and continue utilizing the ACS investment.

Here is a document on Monitoring and Reporting Tool Integration into Network Admission Control.
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aecd801dee49.shtml

Activesync client Certificate authentication with third party CA

Hi, I have to configure ActiveSync certificate based authentication, and use a third party CA.
What informations and fields must I configure on the cert template, to use it for activesync ?
For now I've a template with the CN (FirstName LastName) for the Subject Name and a Subject Alternative name with UserPrincipalName (user@domain). Is it enough ?
Do I must publish the user's certificate in AD ?
Thanks

Just one additional thing to consider, as I have seen it go wrong in the past.
Make sure that whatever certificate solution you decide upon will be suitable for your internal clients (Outlook) as well as autodiscover, external name, etc.
I have seen where people put in mail.domain.com in the SAN field, and everything works great for external clients. However, internal clients who connect to
mbx01.domain.com (the internal server name) get errors, as this server name is not on the certificate.
To make this work, you generally have two options:
Put the internal name of the server on the certificate as well - requires a certificate that allows multiple names (may be referred to as a
UC certificate or 'SAN Options' or something like that, depending on vendor)
Setup split-DNS, so your internal clients also use mail.domain.com
internally
I realize that this doesn't answer your original question, but I have seen this being done wrong many times, and this will hopefully save some headache.

Wireless third party client utility to support GTC authentication

Hi,
I would llike to know if any wireless third party client utility is available to support desktop users to get authenticated via GTC.This wireless accesspoints is cisco & aironet clients does not support widows OS vista & 7.The users using OS are WinXP, Vista & Win7. The GTC is used from RSA server & the RSA token can be viewed from handheld RSA device. On board wireless utility on above mentioned OS do not provide options for RSA token to be entered.
Please help. Thanks in advance.
Regards,
Shivani.

Hi Nicolas,
Thanks for writing. The basic idea would is to get RSA authentication for wireless users. They are not guest users infact they would be users from different branch location moving to HO & vice versa at any location they move users should get access to their defined resources with in the network. Is there a possibility for manupalation by introducing maybe for eg NAC or some other solution which can be integrated with in the network.
I hope i make sense?!
Regards,
Shivani.

How to extend a wifi network of third party router with TC 4th generation?

After searching the communities for a while, I did not find a definitive answer on the following question:
- I recently bought a 4th generation Time Capsule 2TB (MD0322/A), that I also want to use as an extension for our existing wifi network.
- This wifi network is maintained by a Sitecom Wireless 300N XR Gigabit Router. Router is set to work over 2.4 GHz (B+G+N) because of several non-N-wifi devices in the network. The channel in use is currently 11.
- This router provides so called WDS functionality, i.e. the ability for other wifi access points to act as a seamless extension of the basic wifi network (using the same SSID).
- The security settings in the router are WPA2 Mixed, with a password in plain ASCII.
- There seems to be no way to set different security levels for WDS-connections versus normal AP (access point) connections. If WDS is enabled, the security settings of the AP-mode are extended to the WDS connection.
I have set the Sitecom router to enable WDS, and added the MAC-address of the TC in the configuration of this router.
When configuring the Time Capsule, with Airport Utility 5.5.3, I can select the option to use TC to extend an existing network, and I can select the network of choice using the WPA personal or WPA/WPA personal security. However, the TC does not succeed in extending the network, and reports this back. If I manually configure the TC and select the network of choice, Airport Utility reports back that the selected network cannot be extended.
I have read several times in other posts that Time Capsule can only connect to third party routers via WDS using WEP-authentication, but these posts were quite old. I was wondering if this is still the case, or that Apple has updated this functionality in newer versions of TC, and thus there could exist a trick to connect to a WDS using WPA.
I really would appreciate suggestions
Bram Bos

gilles13 wrote:
I have a mac and pc (win7) both are connected thru a network with wifi and allready two access pt.
Airport can not be used to extend a WiFi created by a non-Apple box.
You need to turn off the radio in the router (shut down the existing WiFi). Purchase TWO Airport Express units. Connect one to the router with an Ethernet cable. Configure that one as your primary WiFi network and then use the second Express as the extender.
You need to locate the second Express where it receives a decent WiFi signal. Too far away and it has nothing to extend. Too close and it doesn't buy you anything. Before you plug in the second Express, check to see where the primary WiFi disappears completely. My personal WAG is that you want to locate the second Express 2/3 the distance to that point.
If you use Airport Utility to configure the units, it's a snap. In fact, if you configure the primary first and the extender second, AU will default to exactly the settings that you want.
By the way, I refereed to the Express because it's less expensive than the Extreme and you didn't indicate any need for the Extreme features.

WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

Hello,
Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
Did anyone have similar problems with Windows 8/81?
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
*osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
Any hint would be great .... Thank you...

Hello Dino,
thanks very much for your reply.
The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI. The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
I suspect the cert-setup itself, but don't get a clue where this might stuck...
Björn

Third party SSO with a custom login module

Hello everyone,
I've found a few posts on the forum with questions similar to mine, but none have been answered. I'm using a 3rd party authentication product along with a custom implementation of the AbstractLoginModule interface.
The setup is standard: A 3rd party agent is installed on a reverse proxy web server to SAP. The agent is configured to protect SAP resources, and it handles the login screens and authentication. Once the user has been authenticated, the AbstractLoginModule implementation kicks in, decrypts and validates an SSO token, retrieves the username from it and creates an SAP Principal.
The login ticket template is configured as follows:
1. EvaluateTicketLoginModule   SUFFICIENT
                    2. MyLoginModule                      REQUISITE
                    3. CreateTicketLoginModule       OPTIONAL
One of the integration's key requirements is that direct interaction with standard SAP authentication must be avoided. More specifically, the user should never need to enter an SAP password. I'm only seeing two problems, both of which violate this requirement.
The first is in cases where there is no existing SAP user that matches the authenticated user. In this case, the third party token and SAP Principal are created, the abort method is called, and the user is redirected to the SAP login page.   I need to either bring to user back to the third party login page or to a custom error page~.
The second problem occurs when an SAP password change is required. Again in this case, an SAP form is displayed after the module has created the Principal (although once the user changes the SAP password, all's well). If I were to disable mandatory password changes, would this apply to fat client access as well? If so, then it's not a viable option.
The general idea in both instances is that the SAP I'd appreciate any help or suggestions.
Thanks
~ Since the SSO token applies to applications outside of SAP, I may add a login module parameter to make this a configurable choice. (I.e. allow the administrator to decide whether to inform the user that SAP authentication failed while preserving the SSO token, or to destroy the token and force re-authentication). However, if there is a way to configure the "bad credentials" URL outside of the module's code/parameters, it may be better to place the choice there.

Hi Julius,
Thank you for the quick response - and on a Sunday, no less!
I have considered verifying that the user existed in SAP before creating the Principal. One might argue that that would be the common sense thing to do. The reason I've held off is that the error should be so rare that it may not justify the overhead. There's a requirement to have a one-to-one username mapping between SAP and the authentication application. It would be more efficient to assume that this requirement has been met and to handle the Exception when it hasn't been. Of course, that doesn't mean that it's the right way to go.
+_Julius Bussche wrote:_+
For the first concern, if they can access the logon page directly (anyway) you could disable it as you do not want any password based logons (right?) and redirect it to your external page or an error page.
Yes, this is what I'm hoping to do, but I'm not sure how to do it. Here are some comments and questions about this:
1. What's involved in disabling the login page? I would think you'd need to replace it with something else rather than just switch it off.   Could I limit this change to the login ticket template so that other templates (basic authentication, for example) are still available?
2. Keep in mind that users will never get past the "real" login page unless they have been authenticated. This complicates matters because we're dealing with a scenario in which the user has already been authenticated but doesn't exist in SAP. Therefore, it wouldn't make sense to go back to either login page.
3. What's involved in redirecting to an external page? Is this an explicit redirect in the module code, or can it be decoupled from the module? It's not a big deal, but it would be nice to avoid mandatory module parameters for relative paths to error pages.
I think the question I'm after is: "Can I simply change an SAP login URL parameter to point to a custom error page, and allow everything to work as it does now (where SAP handles the redirect)". If so, could I limit the scope of the change to the login ticket template? What would be even better is if I could configure SAP's response to this error. Somewhere, it's currently configured to display the login page. Ideally, I'd be able to configure it to display myErrorPage, and then set myErrorPage to the appropriate URL.
+_Julius Bussche wrote:_+
For the second concern, I assume that there are no valid passwords involved here which might have expired, so as long as the user does not have the option to activate a password again and anyway cannot logon via password as the option is not presented... then you should be fine here as well with a forward proxy. Not sure which Java APIs are offered here, but you could check this together with the existence check and react to both prior to accessing SAP "from the outside".
The problem here is that the SAP passwords are needed outside of the integration. It's true that whether an SAP password has expired is irrelevant to the integration. However, this is a Web-based integration; SAP passwords must still be available to users who have access to other clients. With this in mind, could I create a user password policy that disables password expiration and automatic password change, but only apply it to Web client access? If not, do you know how I might override SAPu2019s behavior?
Once again, thank you for taking your time to help me out. I am very grateful.
- John

Third party ISP and SMTP settings for outlook

HI,
we've recently sifgned with BThome because the connections speed where we live is much better than it was with demon. however...
I can't semm to make a configuration for my outgoing email settings. i'm receivin my incoming messages from a third party POP account related to my website. there is no problem with my incoming mail, despite what the ncie indian lady at the helpline accused me of. with demon it was simple: you just changed the smtp setting to post.demon.co.uk however there doesn't seem to be an easy solution for that with BT. they insist i take on an btinternet email account. i do not want to do that.
is there anyone with a similar issue and/or solution, that would be greatly appreciated.
many thanki, michael

MAF wrote:
HI,
we've recently sifgned with BThome because the connections speed where we live is much better than it was with demon. however...
I can't semm to make a configuration for my outgoing email settings. i'm receivin my incoming messages from a third party POP account related to my website. there is no problem with my incoming mail, despite what the ncie indian lady at the helpline accused me of. with demon it was simple: you just changed the smtp setting to post.demon.co.uk however there doesn't seem to be an easy solution for that with BT. they insist i take on an btinternet email account. i do not want to do that.
is there anyone with a similar issue and/or solution, that would be greatly appreciated.
many thanki, michael
Hi Michael.
In order to send emails via BT you need to alter the smtp server to mail.btinternet.com - however this may also need other things to be set, i.e. smtp authentication.
You may need to use something called address verification (see my shortcuts section 0e).
Now, with a 3rd party email provider - you should normally be able to use their smtp server (unless they don't have one), and maybe need to alter the port to say perhaps 587 rather than 25.
As Ian said, you will have a btinternet email address - either you chose one on joining or you were allocated one, typically based on your name. This will be needed for address verification.
There are a couple of other ways to do it, e.g. use live.com from MS, or a Gmail verification, but the latter typically shows strange receipt details for some people showing the actual Gmail address as well.
http://www.andyweb.co.uk/shortcuts
http://www.andyweb.co.uk/pictures

Third Party Integration and OID Accounts

I'm planning on using OID with a sync with another LDAP such as AD or Novell. I am also going to integrate SSO with a third party SSO engine.
How do I log into Oracle SSO with a user neither defined in AD or my third party SSO engine? I am basically worried about accounts like PORTAL and ORCLADMIN. Is it possible to bypass the third party integration for these accounts or am I forced to create these accounts in AD and my third party SSO engine?

Jon,
you can either authenticate locally e.g. cn=orcladmin or externally.
You have various option s (depending on the OID version) and how you organize the user base in OID. On a high level the authentication is based on objectclasses for an entry.
E.g. user being synchronized from AD to OID (using the Directory Integration Plaform) contain an objectclass "aduser" to distinguish them as external AD users within OID. So the external authentication plugin will "know" who is an AD user and try to authenticate this user externally with AD not OID. You can also configure the external authentication plugin to filter user who should not be externally authenticated.
If you store all external users in a dedictated subtree e.g. cn=AD_USERS or cn=EDIR_USER you can configure the external authentication plugin to authenticate those user to the respective external directories.
with OID 10.1.4.0.1 you could also make use of the server chaining authentication.
So there are a couple of options you have. See the documentation
Oracle Identity Management Integration Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/toc.htm
Oracle Internet Directory Administrator's Guide
http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/toc.htm
regards,
--Olaf

SharePoint 2013 on-premises integration with third party email account

the Email sending issue from SharePoint is causing too much time waste
First let me explain how our SharePoint is deployed
Sharepoint version : 2013
Deployment type : on-premise
Authentication : from Domain controller also hosted locally
domain name ; say domain.com this domain.com is same as our website address hosted on godaddy
SharePoint computer name on local DNS : sharepoint.domain.com
OS and IIS : 2008 r2 , IIS 7.5
Network firewall : 25 26 ports opened for sharepoint , both incoming and outgoing.
Server firewall : turned off
Email configuration Attempts by IIS 6.0
We tried following setting on IIS 6.0 SMTP local server properties
In General tab
qualified name was shown as : sharepoint.dts-solution.com
IP assigned : sharepoint server IP , advanced putted two entries of IP with ports as 25,26
In Access tab
Authentication : selected as Anonymous
Connection : All except below list : empty list
Relay : only the list below , one entry as 127.0.0.1 and other is local static IP of SharePoint server
in Delivery tab
outbound security : Basic authentication : accessed user in AD and given the right password, also checked with annonymous -not working
outbound connection: all default values and port = 25
Advance : fully qualified domain name = sharepoint.domain.com , DNS test showed success, rest every check box unchecked
On sharepoint central management settings
Outbound email = sharepoint.domain.com
from and reply to address = [email protected]
IIS 7.5 SMTP settings
In IIS 7.5 sharepoint application we added SMTP settings as smtp server = godaddy out going smtp , user name as [email protected] , password = godaddy password , port : godaddy outgoing port .
Godaddy account
Our website hosted on godaddy with same name as domain.com
open relay not possible on emails.
Results
After setting alerts on SharePoint sites and assigning tasks with alerts we receive email in queue folder but they never get forwarded. We just wish to use any of our email *.domain.com to send outgoing emails from SharePoint . Its been a while we have no
success.
Tech Learner

Hi,
As I understand, you are using SharePoint 2013 integrating with third party SMTP server which provides email function.
From SharePoint side, I'd suggest you refer to the link below to configure email integration:
http://technet.microsoft.com/en-us/library/ee956941(v=office.15).aspx
If you have already confirm that message is sent from SharePoint, while stuck in queue on SMTP server, then the issue might be related to relay on SMTP server. Since the issue is related to third party product, we do not have enough resource here,
I'd recommend you contact their support engineer for more assistance:
https://support.godaddy.com/help/category/154/email
https://support.godaddy.com/help/article/3552/managing-your-email-account-smtp-relays
Thanks for the understanding.
Regards,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] .
Rebecca Tu
TechNet Community Support

Using JAAS for third-party webapp

I'm developing a webapp that will be marketed to enterprise customers. Right now, it handles its own authentication by validating the userid/password against its own user table. I'd like to give customers the ability to plug in whatever type of authentication they want, for example, one that authenticates a user against an Active Directory domain.
It seems like JAAS was expressly designed for this purpose, but as I read up on it, I forsee all sorts of problems that could be caused by it. If I'm missing something, I'm hoping someone here can set me straight.
According to the docs, when an app creates a LoginContext and provides it with CallbackHandlers, the LoginContext will check the Configuration to see if any LoginModules are configured for the app (based on the name parameter passed into the LoginContext). If it doesn't find one, it will look for a set of LoginModules for "other".
Here's the behavior I would like: If there is no set of LoginModules configured specifically for my app, I do NOT want the LoginModule(s) for "other" used, since I have no clue what it/they will be. Instead, I would like to my code to be gracefully notified that no LoginModules are configured, so it can default back to its own authentication mechanism. From the looks of the API docs, however, there doesn't seem to be any surefire way to tell why a LoginException has thrown.
I thought I might be able to check programattically to see if there's a LoginModule configured for my webapp with Configuration.getConfiguration().getAppConfigurationEntry(appName), but, 1) it looks like that will probably throw a SecurityException, and 2) it also looks like it would return the AppConfigurationEntries for "other" in the event there's no entry for my app.
It's important that my app not require the appserver administrator to explicitly configure a LoginModule for it, since that could turn into a support nightmare; I simply want to give powerusers the ability to do so if they choose to.
Is it possible to get the behavior I want from JAAS, without a lot of contortions and workarounds? As I said, I may be missing something, but it doesn't seem like I can.

This is from the javadocs
public LoginContext(String name)
throws LoginException
Initialize the new LoginContext object with a name.
LoginContext uses the specified name as the index
into the Configuration to determine which
LoginModules should be used. If the provided name
does not match any in the Configuration, then the
LoginContext uses the default Configuration entry,
"other". If there is no Configuration entry for
"other", then a LoginException is thrown.
Throws:
LoginException - if the specified name does not
appear in the Configuration and there is no
Configuration entry for "other", or if the
auth.login.defaultCallbackHandler security property
was set, but the implementation class could not be
loaded.
The or condition here could be ignored because you
wouldnt be using CallbackHandlers or even if you are
using them, you could ensure that the classes are
'loadable'.The problem is, that LoginException is going to be called for anything that goes wrong inside a LoginContext. If there is an "other" LoginModule set, but it doesn't recognize my user's name and password, then it will throw a FailedLoginException. How is my code supposed to know that the user's name/password will never be accepted by that LoginModule?
>
2.
An alternative would be to provide your own
own implementation of the abstract class
javax.security.auth.login.Configuration overriding
the default implementation provided by Sun. Remember, this is a third-party webapp running in an appserver with other webapps from different providers. It has to use whatever Configuration is already there.
This is
the same technique if you wish to provide the login
module information in any other location than a text
file (as is required by the default implementation)
You could then throw specific custom exceptions
ons from your implementation code and choose to
handle it in the manner you desire.Even if I could do that, which I can't, as I explained, I have to keep this SIMPLE for customers who might not be very knowledgeable in the more esoteric aspects of J2EE and Java.

How to hide url of third party external/partner application

I have a third party external oracle application arcims by the esri corporation that I have on a test portal.
It has it's own password authentication. In order to have sso work i have to turn off its password request.
The problem is that the URL address shows in the portal. Anyone could simply type in the URL and access the application directly and bypass the portal login. Can One hide or wrap the URL in portal? If so HOW is that done?

Since you'va already made Java non-portable by using Runtime, you're probably bbest off using the OS's capabilities to find the program's path.
If the 3rd party program was always contained in Java's classpath list, you could use Class.getResource().

Third Party Authentication

Similar Messages

Maybe you are looking for