TLS mutual authentication and Separate default SMTP routes per listener - IronPort c370

Similar Messages

• SMTP Routes, DNS and Failover

  Hi !
  I'm configuring an outgoing server (i.e. only a private listener) on ESA C370 with AsyncOS 8.0.1.
  I use the Internet's Root DNS Servers, and my default SMTP route is empty. My ESA is connected to 3 networks : production (default gateway), administration and failover (1 interface/network).
  I would like to deploy a failover solution with an extra ESA on the failover network : if I lose my internet connection (impossible to join DNS and remote MX), my ESA would redirect all its mails to the extra ESA.
  How can I do that ?
  Thank you for your help.
  Best Regards
  Quentin

  The ESA has no way to automatically fallback to a static IP if DNS in unreachable.  The best on-box solution I can suggest is manually changing the 'All Other Domains' SMTP Routes entry when such an event occurs.
  I hope this helps!
  - Jackie

• When defining the Outgoing SMTP Server, why does specifying the "default" SMTP server not work, but only the first server specified?

  I have several options for SMTP outgoing server. I set one to default and try to send. it fails and uses the first one in the list.
  I restart Thunderbird and try to send. It uses the first one in the list.
  I eliminate all SMTP servers from the list but the one I want, and it works.
  What am I missing, this I have observed this problem on all of my systems for a long time?
  Regards,
  Carl

  what your missing is that account have an SMTP sever associated with them, which if your "in" an account over rides the "default"
  Right click an account folder and select settings.
  Click on the account name in the settings and on the right is a drop down list and the "default" smtp for that account.

• ACS 4.2 authentication and Privelged exec mode on Test Router.

  The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.
  I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa session-id common
  tacacs-server host 10.4.4.21 single-connection
  tacacs-server key $#$&$*#
  The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:
  AAA_ROUTER_CLIENT>enable
  % Error in authentication.
  AAA_ROUTER_CLIENT>
  I must be missing something in the ACS. Any help would be appreciated.

  You are missing this command
  aaa authorization exec default group tacacs+ if-authenticated
  This is what you need on router
  Router(config)# username [username] password [password]
  tacacs-server host [ip]
  tacacs-server key [key]
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  On ACS
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• Relaying email with authentication and TLS

  According to this article:
  http://blogs.technet.com/b/msonline/archive/2009/09/02/using-smtp-relay-with-exchange-online.aspx , email relay is possible.
  I tested the VBScript below with gmail—which also requires smtp authentication and TLS—and it worked perfectly.  Can anyone help me get it to work with Microsoft Online's email?
  Dim objEmailMessage
  Set objEmailMessage = CreateObject("CDO.Message")
  objEmailMessage.From = "Sender Email Here"
  objEmailMessage.To = "Recipient Email Here"
  objEmailMessage.Subject = "Test Subject"
  objEmailMessage.TextBody = "This is my test email message."
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.mail.microsoftonline.com"
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 587
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = true
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 20
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "Valid BPOS Email Account Here"
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "Password Here"
  objEmailMessage.Configuration.Fields.Update
  objEmailMessage.Send
  Set objEmailMessage = nothing
  MsgBox "Done."

  Try this, should work:
  Dim objEmailMessage
  Set objEmailMessage = CreateObject("CDO.Message")
  objEmailMessage.From = "Sender Email Here"
  objEmailMessage.To = "Recipient Email Here"
  objEmailMessage.Subject = "Test Subject"
  objEmailMessage.TextBody = "This is my test email message."
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver")
  = "mail.global.frontbridge.com"
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport")
  = 25
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing")
  = 2
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate")
  = 1
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout")
  = 20
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusername")
  = "Valid BPOS Email Account Here"
  objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword")
  = "Password Here"
  objEmailMessage.Configuration.Fields.Update
  objEmailMessage.Send
  Set objEmailMessage = nothing
  MsgBox "Done."

• Time Capsule and Airport Express as separate network on route acting slow

  Wonder if anyone has any thoughts on this...
  I have a Time Capsule (current gen) with an Airport Express N (last gen) which I would like to connect to my current router and create a network that is separate from the router's own wireless network. Currently, I've set the TC to work in Bridge Mode (connected to the router - ethernet) and have connected the Airport Express to 'extend the network' - this is also in Bridge Mode as well. However, when I'm away from the TC and in the Airport Express's range, the connection is very slow. Is there something I'm not doing right with the 2 Apple products or is it something with the router? When I'm closer to the TC it works fine, it's just when I'm far away there seems to be an issue!
  Thanks in advance!

  Wirelessly extending your network will improve your range, but decrease your bandwidth. You should create a roaming network via Ethernet if you can.

• WHAT IS THE DEFAULT LOG IN AND PSWD FOR THE ROUTER?

  WHAT IS THE DEFAULT LOG IN AND PSWD FOR THE ROUTER?

  It's right here in the forum: http://customer.comcast.com/help-and-support/internet/wireless-gateway-username-and-password/

• SSL mutual authentication with Tomcat and IE

  Hi,
  I am trying to set up mutual ssl with Tomcat.
  Everything works fine on the server but I cannot authenticate the client.
  The client is my internet explorer browser. This is what I have tried.
  -Generated an ssl server certificate using keytool.
  -Generated a certificate for the client
  -exported it to a .cer file
  -imported it to a truststore and moved it into the cacerts file
  I have verified this because tomcat lists my client certificate as a trusted
  one at start up.
  After this I installed the .cer file into IE and tried accessing the server.
  Handshake fails: "bad_certificate"
  I have searched all around the net trying to find someone who had done something like this, could not find anything. Can anyone please help me through this setup.
  -thanks

  Oh I find that there is different code base of WLS 7.0.0!!
  - WLS 7.0.0 of Mai 2002 is propagating the principal correctly with SSL
  mutual authentication.
  - WLS 7.0.0 of Juli 2002 is NOT propagating anymore! (the patch is appliable
  to this)
  Obviously BEA published different nightly builds of the same WLS 7.0.0 on
  the web.
  Is this normal?
  Regards
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  I think that SP1 has a bug: it cannot propagate the principal when SSL
  mutual
  authentication is used. I fixed it with a small patch. Now the principalis
  propagated
  correctly with SSL mutual authentication on WLS 7.0.1 (WLS 7.0.0 isworking
  without patch).
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  Hi all
  I make SSL mutual authentication work between 2 WLS 7.0 servers.
  As I upgrade to WLS 7.0 SP1 the principal propagation doesn't workanymore:
  the principal on the target WLS is always "anonymous"!
  Is this a bug or is there something new to parametrize?
  Regards
  Alain Hsiung

• User Name- and Password-Based Mutual Authentication

  Hi,
  The J2EE 1.4 Tutorial Update 1 shows an example of Client-Certificate Authentication over HTTP/SSL with JAX-RPC, but no User Name- and Password-Based Mutual Authentication example.
  Does this work the same? Does the client need a certificate for User Name- and Password-Based Mutual Authentication?
  I created my own self-signed certificate and imported it using the keytool. When I use my client to connect to my JAX-RPC web service, I get the following error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found.
  It seems that no trusted certificate is found... on the client side?! How do I specify the client certificate at the client side? I created a client certificate and added it to the keystore in the application server...
  If somebody should have an example of User Name- and Password-Based Mutual Authentication, I'd really apreciate it.
  Thanks, d3m0.

  Hi,
  I've almost the same problem.In an application based on Java Web Start, i try to attack a web service through HTTPS. Before the call of the web services, the client have discussed with the server through HTTPS, so the user have already accept the certificate (i use self-signed certificate too), i get the same exception.
  At the begining i've used classes from axis. I've found that axis doesn't want to support non trusted certificate. Some workaround were that the client access the private key of the server ... not really secure. So i've tried to use the JAX-RPC classes, always the exception.
  For the moment , we don't want to use trusted certificate and don't want to install on each user workstation the server certificate. I continue to investigate, if someone have some solution ? What i don't understand is why i've this exception altough i'm in a secure environment (JWS + user accepts the untrusted certificate).
  Sorry, i've never work on User Name- and Password-Based Mutual Authentication, but i think your exception come because of self-signed certificate.
  Regard,
  Pierre.

• Ironport Management appliance and smtp routes

  Hi Guys,
  I'm configuring M170 management appliance for two mail security Ironports (for centralized quarantine).
  while going through the configuration, i have found that there is SMTP route can be configured, why do i need to configure SMTP route under the management appliance?
  As i know it should be confgured on the Ironport email security appliances, but why on management? Do i need it?
  Thanks & Regards,
  Rami

  Hi,
  Thanks for your reply, just want to confirm, this is will be used even for end users Quarantine notification, correct?
  I mean that Management appliance will send quarantine notifications to end users by using this smtp route, am i right?
  Regards,
  Rami

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Trying to configure a Win 2003 Server to use TLS server authentication . . .

  I am trying to
  configure a Win 2003 Server to use TLS server authentication following Method 2 in KB 895443 - see below:-
  Method 2: By using the Certificate Request Wizard
  The following steps describe how to obtain a certificate from a Windows Server 2003 Certification Authority. You can also request a certificate from a Windows 2000
  Certification Authority. Additionally, you must have Read permissions and Enroll permissions on the certificate template file to successfully request a certificate. Use this method if one or more of the following conditions are true:
  You want to request a certificate from an Enterprise Certification Authority.
  You want to request a certificate that is based on a template where the subject name is generated by Windows.
  You want to obtain a certificate that does not require administrator approval before the certificate is issued.
  To obtain a certificate, follow these steps:
  Click Start, click Run, type mmc, and then click OK.
  On the File menu, click Add/Remove Snap-in.
  Click Add, click Certificates, and then click Add.
  Click Computer account, and then click Next.
  If you want to add a certificate to the local computer, click Local computer. If you want to add a certificate to a remote computer, click Another
  computer, and then type the name of that remote computer in the Another computer box.
  Click Finish.
  In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove
  Snap-in dialog box.
  Under Console Root, click Certificates (Local Computer).
  Note If you configured the Certificates MMC snap-in to manage a remote computer, click Certificates (servername)instead of Certificates (Local Computer).
  On the View menu, click Options.
  In the View Options dialog box, click Certificate purpose, and then click OK.
  In the right pane, right-click Server Authentication, point to All Tasks, and then click Request New Certificate.
  In the Certificate Request Wizard that starts, click Next.
  In the Certificate types list, click Server Authentication, click to select the Advanced check box,
  and then click Next.
  In the Cryptographic Service Providers list, click Microsoft RSA SChannel Cryptographic Provider.
  I get as far as step 11 and I get the error message:-
  The wizard cannot be started because of one or more of the following conditions:
  - There are no trusted certification authorities (CAs) available.
  - You do not have the permissions to request certificates from the available CAs.
  - The available CAs issue certificates for which you do not have permissions.
  This is covered in KB 927066 – see below:-
  To resolve the problem, follow these steps:
  Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container.
  To do this, follow these steps:
  Click Start, click Run,
  type Dsa.msc, and then click OK.
  In the left pane, click the Users container.
  Verify that the CERTSVC_DCOM_ACCESS group is in the right
  pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
  Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
  Domain Users
  Domain Computers
  If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4. 
  Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain
  controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers
  do not have sufficient DCOM permissions.
  Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification
  authority.
  Click Start, point to Program,
  point to Administrative Tools, and then click Component Services.
  Expand the Component Services node.
  Expand the Computers node.
  Right-click the My Computer node, and
  then click Properties.
  Click the COM Security tab.
  Under Access Permission, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow
  Remote Access permissions, and then click Cancel.
  Under Launch and Activation Permissions, click Edit
  Limits.
  Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow
  Remote Activationpermissions, and then click Cancel.
  Click Cancel, and then close the Component
  Services console.
  Settings may be incorrect if any one of the following conditions is true:
  The CERTSVC_DCOM_ACCESS group does not exist.
  The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
  The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
  If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
  certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
  net stop certsvc
  net start certsvc
  Repeat steps 1 through 3 to verify that all the settings are correct.
  Note If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.
  The only part of the above instructions which I have not been able to complete is:-
  “you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group”.
  When I click on the CERTSVC_DCOM_ACCESS user then click the Members tab & go to add Enterprise Domain Controllers the option is not there.

  Hi Nick,
  Have you successfully set up an enterprise CA?
  If yes, is the enterprise CA’s certificate located under the Trusted Root Certification Authorities store?
  Best Regards,
  Amy

• Advice needed for provider hosted web application - authentication and access to SharePoint document library

  I haven't done SharePoint 2013 development with claims so I apologize in advance if my assumptions and questions are way out in left field.
  I'm trying to understand SharePoint 2013 claims authentication for a scenario that involves:
  A SharePoint provided hosted (web forms) app that will pull information and assets (e.g. PDFs) from SharePoint into the web page.
  It will be a VS 2012 solution with asp.net.identity feature.
  Security will be set for internal users, federated external users and forms-based external users.  Based on their security and (claim type) role it will define what information and assets that can be retrieved from SharePoint
  I have looked through MSDN and other sources to understand.
  This one helped with my understanding 
  Federated Identity for Web Applications and assumed that the general concept could be applied to forms-based identity for non-Federated external users .
  What I have now:
  VS 2012 solution web forms application set to Provider Host with asp.net.identity feature and its required membership tables.
  I can create new users and associate claims to the new user.
  I can log in with a user from the membership tables and it will take me to a default.aspx page.  I have added code to it that displays the claims associated to a user.
  For POC purposes I'd like to retrieve documents that are associated to this user from the default.aspx page.
  This is where I am having trouble understanding:  Is my understand correct?
  Internal users
  since they are internal on the network i am assuming that they would already have access to SharePoint and they would already be configured to what documents that they have available to them.
  Federated external users & Forms authentication external users
  it seems to me that the authentication for external users are separate from SharePoint authentication process.
  changes to the configuration settings are necessary in SharePoint, IIS, web application.
  I believe this is what i read.
  claims processes (e.g. mappings) need to be set up in SharePoint
  as long as external users are authenticated then things are ok b/c they would have claims associated to the user and the configuration in SharePoint takes are of the rest.
  This statement bothers me because I think it's wrong.
  So basically i'm stuck with if my understanding is correct: once a user is authenticated either by federated identity or asp.net.identity authentication that it should go to the provider hosted default.aspx page because the claim is authenticated and means
  that it should have access to it and the SharePoint document library based on some claim property.  I could then write the calls to retrieve from a document library and SharePoint will know based on some claim property that the logged in user can only
  access certain documents.
  It just sounds too good to be true and that i'm missing something in the thought process.
  Thanks in advance for taking the time to read.
  greenwasabi

  Hi GreenWasabi,
  i agree this is an interesting topic to discuss,
  as you can check from the article, you may check this example from the codeplex:http://claimsid.codeplex.com/
  when i thinking regarding this topic, its looks like an environment with multiple of realms,
  from what you understand, its correct that all the authentication is based from the provider, so for example i have a windows live ID and internal ID, then when i login windows live ID, it will be authenticated using windows live ID server.
  here is the example for the webservice:
  http://claimsid.codeplex.com/wikipage?title=Federated%20Identity%20for%20Web%20Services&referringTitle=Home
  as i know, if you using this federated, i am not quite sure that you will need to go to the provider page literally, perhaps you can check this example if we are using azure:
  http://social.technet.microsoft.com/wiki/contents/articles/22309.integrating-windows-live-id-google-and-facebook-accounts-with-sharepoint-2013-white-paper.aspx
  Regards,
  Aries
  Microsoft Online Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• AuthenticationFailedException when using JNDI and JavaMail with SMTP auth

  Hi all - I've been banging my head on this one for awhile now - hopefully someone else has done this.
  We are working in a servlet container (tomcat), and need obtain a mail session from JNDI. We do this as follows:
                 Context initCtx = new InitialContext();
                 Context envCtx = (Context) initCtx.lookup("java:comp/env");
                 Session mailSession=(Session) envCtx.lookup("mailSession/trumpetinc");so far so good. The jndi entry for the mail session is configured in server.xml as follows:
            <Resource name="mailSession/trumpetinc" scope="Shareable" type="javax.mail.Session"/>
            <ResourceParams name="mailSession/trumpetinc">
              <parameter>
                <name>mail.smtp.host</name>
                <value>mail.server.com</value>
              </parameter>
              <parameter>
                <name>mail.smtp.password</name>
                <value>ABCDEFG</value>
              </parameter>
              <parameter>
                <name>mail.smtp.user</name>
                <value>trumpet_kevin</value>
              </parameter>
           <parameter>
             <name>mail.smtp.auth</name>
             <value>true</value>
           </parameter>
            </ResourceParams>With the above, whenever we hit Transport.send(msg), we got an AuthenticationFailedException thrown. I have run into this before with SMTP authentication, so I decided to try using the transport.sendMessage() method instead.
  So, I get the transport:
  Transport trans = mailSession.getTransport("smtp");
  trans.connect();Then I send my message using:
  msg.saveChanges();
  trans.sendMessage(msg, msg.getAllRecipients());and finally, I close the transport:
  trans.close();Unfortunately, I'm still getting the exception. Is it possible that my connect() method is not picking up the JNDI properties set in the server.xml file (this seems likely)? If so, what's the best way for me to get those properties so I can set them explicitly in the connect() method?
  Thanks in advance,
  - Kevin

  Hi,
  I have faced the same problem and after some googling and trying I have discovered what causes the AuthenticationFailedException exception. I just wanted to share the knowedge maybe it will be helpfull to others.
  Here it is what the API says:
  To use SMTP authentication you'll need to set the mail.smtp.auth property (see below) and provide the SMTP Transport with a username and password when connecting to the SMTP server. You can do this using one of the following approaches:
  1.Provide an Authenticator object when creating your mail Session and provide the username and password information during the Authenticator callback.
  Note that the mail.smtp.user property can be set to provide a default username for the callback, but the password will still need to be supplied explicitly.
  This approach allows you to use the static Transport send method to send messages.
  2.Call the Transport connect method explicitly with username and password arguments.
  This approach requires you to explicitly manage a Transport object and use the Transport sendMessage method to send the message. The transport.java demo program demonstrates how to manage a Transport object. The following is roughly equivalent to the static Transport send method, but supplies the needed username and password:
  Using the Transport.connect makes the JNDI not very helpfull for configuration.
  It seems that using just the mail.smtp.user and mail.smtp.pass is not sufficient for the authentication.
  so, the solution is :
  just place these to lines in the JNDI configuration:
            username="test"
            password="test1"
  so it should looks as follows:
            <Resource name="mail/Session" auth="Container"
            type="javax.mail.Session"
            username="test"
            password="test1"
            mail.transport.protocol="smtp"
            mail.smtp.auth="true"     
            mail.smtp.host="localhost"
            mail.smtp.port="25"
            mail.smtp.user="test"
            mail.smtp.password="test1"
  />
  where test and test1 are the user's credentials
  Regards,
  Kiril
  Message was edited by:
  Kireto
  Message was edited by:
  Kireto