TLS mutual authentication and Separate default SMTP routes per listener - IronPort c370
Dear all ,
We have two IronPort C370 ESAs , formed in a cluster.
We are in a need to route e-mails targeted to a special group using TLS Required/Verify.
I have two questions :
1. Is TLS mutual authentication possible on both incoming and outgoing ?
2. Due to the nature of the TLS need the existing listener cannot be used. So I created a new listener and respective filters to decide when the recipient requirements are met. The new listener is going to be configured with a policy specifying TLS required/verify. Problem is that there is always a default SMTP route pointing specifically to a cloud service rather than directly to the Internet while for the new listener usedns is required. Is it possible to have two different default SMTP routes assigned to different listeners ?
Thanks and kind regards ,
Gino.
PS : Please bear with me and questions. I am making my first steps in Iron Port administration.
I have made some sort of progress but I would also like to have your expert opinions.
I have came to understand that in order to present TLS mutual authentication for the incoming traffic I will just have to trust the sender(s) CA ( containing SANs etc for both the SMTP domain and the ESA itself ) while if I spread own SANs to the counterparts I will also have TLS mutual authentication on the outgoing traffic as well. Issue is that I will have to declare it in destination controls and it cannot be generic.
Is there any way to make TLS required/verify with mutual authentication the default without having to set destination contol(s) ?
As for my second question I have came to understand that the additional listener is not an aditional MTA and concequently I cannot have separate default SMTP route ( default = what is called as "ALL" in IronPort ). Still if anyone knows something more it would be really helpful if it was shared.
Similar Messages
-
SMTP Routes, DNS and Failover
Hi !
I'm configuring an outgoing server (i.e. only a private listener) on ESA C370 with AsyncOS 8.0.1.
I use the Internet's Root DNS Servers, and my default SMTP route is empty. My ESA is connected to 3 networks : production (default gateway), administration and failover (1 interface/network).
I would like to deploy a failover solution with an extra ESA on the failover network : if I lose my internet connection (impossible to join DNS and remote MX), my ESA would redirect all its mails to the extra ESA.
How can I do that ?
Thank you for your help.
Best Regards
QuentinThe ESA has no way to automatically fallback to a static IP if DNS in unreachable. The best on-box solution I can suggest is manually changing the 'All Other Domains' SMTP Routes entry when such an event occurs.
I hope this helps!
- Jackie -
I have several options for SMTP outgoing server. I set one to default and try to send. it fails and uses the first one in the list.
I restart Thunderbird and try to send. It uses the first one in the list.
I eliminate all SMTP servers from the list but the one I want, and it works.
What am I missing, this I have observed this problem on all of my systems for a long time?
Regards,
Carlwhat your missing is that account have an SMTP sever associated with them, which if your "in" an account over rides the "default"
Right click an account folder and select settings.
Click on the account name in the settings and on the right is a drop down list and the "default" smtp for that account. -
ACS 4.2 authentication and Privelged exec mode on Test Router.
The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.
I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:
aaa new-model
aaa authentication login default group tacacs+ local
aaa session-id common
tacacs-server host 10.4.4.21 single-connection
tacacs-server key $#$&$*#
The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:
AAA_ROUTER_CLIENT>enable
% Error in authentication.
AAA_ROUTER_CLIENT>
I must be missing something in the ACS. Any help would be appreciated.You are missing this command
aaa authorization exec default group tacacs+ if-authenticated
This is what you need on router
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
On ACS
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts -
Relaying email with authentication and TLS
According to this article:
http://blogs.technet.com/b/msonline/archive/2009/09/02/using-smtp-relay-with-exchange-online.aspx , email relay is possible.
I tested the VBScript below with gmail—which also requires smtp authentication and TLS—and it worked perfectly. Can anyone help me get it to work with Microsoft Online's email?
Dim objEmailMessage
Set objEmailMessage = CreateObject("CDO.Message")
objEmailMessage.From = "Sender Email Here"
objEmailMessage.To = "Recipient Email Here"
objEmailMessage.Subject = "Test Subject"
objEmailMessage.TextBody = "This is my test email message."
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.mail.microsoftonline.com"
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 587
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = true
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 20
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "Valid BPOS Email Account Here"
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "Password Here"
objEmailMessage.Configuration.Fields.Update
objEmailMessage.Send
Set objEmailMessage = nothing
MsgBox "Done."Try this, should work:
Dim objEmailMessage
Set objEmailMessage = CreateObject("CDO.Message")
objEmailMessage.From = "Sender Email Here"
objEmailMessage.To = "Recipient Email Here"
objEmailMessage.Subject = "Test Subject"
objEmailMessage.TextBody = "This is my test email message."
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver")
= "mail.global.frontbridge.com"
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport")
= 25
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing")
= 2
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate")
= 1
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout")
= 20
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusername")
= "Valid BPOS Email Account Here"
objEmailMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword")
= "Password Here"
objEmailMessage.Configuration.Fields.Update
objEmailMessage.Send
Set objEmailMessage = nothing
MsgBox "Done." -
Time Capsule and Airport Express as separate network on route acting slow
Wonder if anyone has any thoughts on this...
I have a Time Capsule (current gen) with an Airport Express N (last gen) which I would like to connect to my current router and create a network that is separate from the router's own wireless network. Currently, I've set the TC to work in Bridge Mode (connected to the router - ethernet) and have connected the Airport Express to 'extend the network' - this is also in Bridge Mode as well. However, when I'm away from the TC and in the Airport Express's range, the connection is very slow. Is there something I'm not doing right with the 2 Apple products or is it something with the router? When I'm closer to the TC it works fine, it's just when I'm far away there seems to be an issue!
Thanks in advance!Wirelessly extending your network will improve your range, but decrease your bandwidth. You should create a roaming network via Ethernet if you can.
-
WHAT IS THE DEFAULT LOG IN AND PSWD FOR THE ROUTER?
WHAT IS THE DEFAULT LOG IN AND PSWD FOR THE ROUTER?
It's right here in the forum: http://customer.comcast.com/help-and-support/internet/wireless-gateway-username-and-password/
-
SSL mutual authentication with Tomcat and IE
Hi,
I am trying to set up mutual ssl with Tomcat.
Everything works fine on the server but I cannot authenticate the client.
The client is my internet explorer browser. This is what I have tried.
-Generated an ssl server certificate using keytool.
-Generated a certificate for the client
-exported it to a .cer file
-imported it to a truststore and moved it into the cacerts file
I have verified this because tomcat lists my client certificate as a trusted
one at start up.
After this I installed the .cer file into IE and tried accessing the server.
Handshake fails: "bad_certificate"
I have searched all around the net trying to find someone who had done something like this, could not find anything. Can anyone please help me through this setup.
-thanksOh I find that there is different code base of WLS 7.0.0!!
- WLS 7.0.0 of Mai 2002 is propagating the principal correctly with SSL
mutual authentication.
- WLS 7.0.0 of Juli 2002 is NOT propagating anymore! (the patch is appliable
to this)
Obviously BEA published different nightly builds of the same WLS 7.0.0 on
the web.
Is this normal?
Regards
Alain Hsiung
"Alain Hsiung" <[email protected]> wrote in message
news:[email protected]..
I think that SP1 has a bug: it cannot propagate the principal when SSL
mutual
authentication is used. I fixed it with a small patch. Now the principalis
propagated
correctly with SSL mutual authentication on WLS 7.0.1 (WLS 7.0.0 isworking
without patch).
Alain Hsiung
"Alain Hsiung" <[email protected]> wrote in message
news:[email protected]..
Hi all
I make SSL mutual authentication work between 2 WLS 7.0 servers.
As I upgrade to WLS 7.0 SP1 the principal propagation doesn't workanymore:
the principal on the target WLS is always "anonymous"!
Is this a bug or is there something new to parametrize?
Regards
Alain Hsiung -
User Name- and Password-Based Mutual Authentication
Hi,
The J2EE 1.4 Tutorial Update 1 shows an example of Client-Certificate Authentication over HTTP/SSL with JAX-RPC, but no User Name- and Password-Based Mutual Authentication example.
Does this work the same? Does the client need a certificate for User Name- and Password-Based Mutual Authentication?
I created my own self-signed certificate and imported it using the keytool. When I use my client to connect to my JAX-RPC web service, I get the following error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found.
It seems that no trusted certificate is found... on the client side?! How do I specify the client certificate at the client side? I created a client certificate and added it to the keystore in the application server...
If somebody should have an example of User Name- and Password-Based Mutual Authentication, I'd really apreciate it.
Thanks, d3m0.Hi,
I've almost the same problem.In an application based on Java Web Start, i try to attack a web service through HTTPS. Before the call of the web services, the client have discussed with the server through HTTPS, so the user have already accept the certificate (i use self-signed certificate too), i get the same exception.
At the begining i've used classes from axis. I've found that axis doesn't want to support non trusted certificate. Some workaround were that the client access the private key of the server ... not really secure. So i've tried to use the JAX-RPC classes, always the exception.
For the moment , we don't want to use trusted certificate and don't want to install on each user workstation the server certificate. I continue to investigate, if someone have some solution ? What i don't understand is why i've this exception altough i'm in a secure environment (JWS + user accepts the untrusted certificate).
Sorry, i've never work on User Name- and Password-Based Mutual Authentication, but i think your exception come because of self-signed certificate.
Regard,
Pierre. -
Ironport Management appliance and smtp routes
Hi Guys,
I'm configuring M170 management appliance for two mail security Ironports (for centralized quarantine).
while going through the configuration, i have found that there is SMTP route can be configured, why do i need to configure SMTP route under the management appliance?
As i know it should be confgured on the Ironport email security appliances, but why on management? Do i need it?
Thanks & Regards,
RamiHi,
Thanks for your reply, just want to confirm, this is will be used even for end users Quarantine notification, correct?
I mean that Management appliance will send quarantine notifications to end users by using this smtp route, am i right?
Regards,
Rami -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
ACS 5.3, EAP-TLS Machine Authentication with Active Directory
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess" -
Trying to configure a Win 2003 Server to use TLS server authentication . . .
I am trying to
configure a Win 2003 Server to use TLS server authentication following Method 2 in KB 895443 - see below:-
Method 2: By using the Certificate Request Wizard
The following steps describe how to obtain a certificate from a Windows Server 2003 Certification Authority. You can also request a certificate from a Windows 2000
Certification Authority. Additionally, you must have Read permissions and Enroll permissions on the certificate template file to successfully request a certificate. Use this method if one or more of the following conditions are true:
You want to request a certificate from an Enterprise Certification Authority.
You want to request a certificate that is based on a template where the subject name is generated by Windows.
You want to obtain a certificate that does not require administrator approval before the certificate is issued.
To obtain a certificate, follow these steps:
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
Click Add, click Certificates, and then click Add.
Click Computer account, and then click Next.
If you want to add a certificate to the local computer, click Local computer. If you want to add a certificate to a remote computer, click Another
computer, and then type the name of that remote computer in the Another computer box.
Click Finish.
In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove
Snap-in dialog box.
Under Console Root, click Certificates (Local Computer).
Note If you configured the Certificates MMC snap-in to manage a remote computer, click Certificates (servername)instead of Certificates (Local Computer).
On the View menu, click Options.
In the View Options dialog box, click Certificate purpose, and then click OK.
In the right pane, right-click Server Authentication, point to All Tasks, and then click Request New Certificate.
In the Certificate Request Wizard that starts, click Next.
In the Certificate types list, click Server Authentication, click to select the Advanced check box,
and then click Next.
In the Cryptographic Service Providers list, click Microsoft RSA SChannel Cryptographic Provider.
I get as far as step 11 and I get the error message:-
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.
This is covered in KB 927066 – see below:-
To resolve the problem, follow these steps:
Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container.
To do this, follow these steps:
Click Start, click Run,
type Dsa.msc, and then click OK.
In the left pane, click the Users container.
Verify that the CERTSVC_DCOM_ACCESS group is in the right
pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
Domain Users
Domain Computers
If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4.
Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain
controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers
do not have sufficient DCOM permissions.
Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification
authority.
Click Start, point to Program,
point to Administrative Tools, and then click Component Services.
Expand the Component Services node.
Expand the Computers node.
Right-click the My Computer node, and
then click Properties.
Click the COM Security tab.
Under Access Permission, click Edit
Limits.
Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow
Remote Access permissions, and then click Cancel.
Under Launch and Activation Permissions, click Edit
Limits.
Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow
Remote Activationpermissions, and then click Cancel.
Click Cancel, and then close the Component
Services console.
Settings may be incorrect if any one of the following conditions is true:
The CERTSVC_DCOM_ACCESS group does not exist.
The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
Repeat steps 1 through 3 to verify that all the settings are correct.
Note If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.
The only part of the above instructions which I have not been able to complete is:-
“you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group”.
When I click on the CERTSVC_DCOM_ACCESS user then click the Members tab & go to add Enterprise Domain Controllers the option is not there.Hi Nick,
Have you successfully set up an enterprise CA?
If yes, is the enterprise CA’s certificate located under the Trusted Root Certification Authorities store?
Best Regards,
Amy -
I haven't done SharePoint 2013 development with claims so I apologize in advance if my assumptions and questions are way out in left field.
I'm trying to understand SharePoint 2013 claims authentication for a scenario that involves:
A SharePoint provided hosted (web forms) app that will pull information and assets (e.g. PDFs) from SharePoint into the web page.
It will be a VS 2012 solution with asp.net.identity feature.
Security will be set for internal users, federated external users and forms-based external users. Based on their security and (claim type) role it will define what information and assets that can be retrieved from SharePoint
I have looked through MSDN and other sources to understand.
This one helped with my understanding
Federated Identity for Web Applications and assumed that the general concept could be applied to forms-based identity for non-Federated external users .
What I have now:
VS 2012 solution web forms application set to Provider Host with asp.net.identity feature and its required membership tables.
I can create new users and associate claims to the new user.
I can log in with a user from the membership tables and it will take me to a default.aspx page. I have added code to it that displays the claims associated to a user.
For POC purposes I'd like to retrieve documents that are associated to this user from the default.aspx page.
This is where I am having trouble understanding: Is my understand correct?
Internal users
since they are internal on the network i am assuming that they would already have access to SharePoint and they would already be configured to what documents that they have available to them.
Federated external users & Forms authentication external users
it seems to me that the authentication for external users are separate from SharePoint authentication process.
changes to the configuration settings are necessary in SharePoint, IIS, web application.
I believe this is what i read.
claims processes (e.g. mappings) need to be set up in SharePoint
as long as external users are authenticated then things are ok b/c they would have claims associated to the user and the configuration in SharePoint takes are of the rest.
This statement bothers me because I think it's wrong.
So basically i'm stuck with if my understanding is correct: once a user is authenticated either by federated identity or asp.net.identity authentication that it should go to the provider hosted default.aspx page because the claim is authenticated and means
that it should have access to it and the SharePoint document library based on some claim property. I could then write the calls to retrieve from a document library and SharePoint will know based on some claim property that the logged in user can only
access certain documents.
It just sounds too good to be true and that i'm missing something in the thought process.
Thanks in advance for taking the time to read.
greenwasabiHi GreenWasabi,
i agree this is an interesting topic to discuss,
as you can check from the article, you may check this example from the codeplex:http://claimsid.codeplex.com/
when i thinking regarding this topic, its looks like an environment with multiple of realms,
from what you understand, its correct that all the authentication is based from the provider, so for example i have a windows live ID and internal ID, then when i login windows live ID, it will be authenticated using windows live ID server.
here is the example for the webservice:
http://claimsid.codeplex.com/wikipage?title=Federated%20Identity%20for%20Web%20Services&referringTitle=Home
as i know, if you using this federated, i am not quite sure that you will need to go to the provider page literally, perhaps you can check this example if we are using azure:
http://social.technet.microsoft.com/wiki/contents/articles/22309.integrating-windows-live-id-google-and-facebook-accounts-with-sharepoint-2013-white-paper.aspx
Regards,
Aries
Microsoft Online Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
AuthenticationFailedException when using JNDI and JavaMail with SMTP auth
Hi all - I've been banging my head on this one for awhile now - hopefully someone else has done this.
We are working in a servlet container (tomcat), and need obtain a mail session from JNDI. We do this as follows:
Context initCtx = new InitialContext();
Context envCtx = (Context) initCtx.lookup("java:comp/env");
Session mailSession=(Session) envCtx.lookup("mailSession/trumpetinc");so far so good. The jndi entry for the mail session is configured in server.xml as follows:
<Resource name="mailSession/trumpetinc" scope="Shareable" type="javax.mail.Session"/>
<ResourceParams name="mailSession/trumpetinc">
<parameter>
<name>mail.smtp.host</name>
<value>mail.server.com</value>
</parameter>
<parameter>
<name>mail.smtp.password</name>
<value>ABCDEFG</value>
</parameter>
<parameter>
<name>mail.smtp.user</name>
<value>trumpet_kevin</value>
</parameter>
<parameter>
<name>mail.smtp.auth</name>
<value>true</value>
</parameter>
</ResourceParams>With the above, whenever we hit Transport.send(msg), we got an AuthenticationFailedException thrown. I have run into this before with SMTP authentication, so I decided to try using the transport.sendMessage() method instead.
So, I get the transport:
Transport trans = mailSession.getTransport("smtp");
trans.connect();Then I send my message using:
msg.saveChanges();
trans.sendMessage(msg, msg.getAllRecipients());and finally, I close the transport:
trans.close();Unfortunately, I'm still getting the exception. Is it possible that my connect() method is not picking up the JNDI properties set in the server.xml file (this seems likely)? If so, what's the best way for me to get those properties so I can set them explicitly in the connect() method?
Thanks in advance,
- KevinHi,
I have faced the same problem and after some googling and trying I have discovered what causes the AuthenticationFailedException exception. I just wanted to share the knowedge maybe it will be helpfull to others.
Here it is what the API says:
To use SMTP authentication you'll need to set the mail.smtp.auth property (see below) and provide the SMTP Transport with a username and password when connecting to the SMTP server. You can do this using one of the following approaches:
1.Provide an Authenticator object when creating your mail Session and provide the username and password information during the Authenticator callback.
Note that the mail.smtp.user property can be set to provide a default username for the callback, but the password will still need to be supplied explicitly.
This approach allows you to use the static Transport send method to send messages.
2.Call the Transport connect method explicitly with username and password arguments.
This approach requires you to explicitly manage a Transport object and use the Transport sendMessage method to send the message. The transport.java demo program demonstrates how to manage a Transport object. The following is roughly equivalent to the static Transport send method, but supplies the needed username and password:
Using the Transport.connect makes the JNDI not very helpfull for configuration.
It seems that using just the mail.smtp.user and mail.smtp.pass is not sufficient for the authentication.
so, the solution is :
just place these to lines in the JNDI configuration:
username="test"
password="test1"
so it should looks as follows:
<Resource name="mail/Session" auth="Container"
type="javax.mail.Session"
username="test"
password="test1"
mail.transport.protocol="smtp"
mail.smtp.auth="true"
mail.smtp.host="localhost"
mail.smtp.port="25"
mail.smtp.user="test"
mail.smtp.password="test1"
/>
where test and test1 are the user's credentials
Regards,
Kiril
Message was edited by:
Kireto
Message was edited by:
Kireto
Maybe you are looking for
-
Printing problem with hp photosmart 8180
The printer dont print in plack, although the cartridge is new.
-
Problem displaying PDF with Jasper Reports
I have the following code that loads a report and displays it in PDF format: if(jasperReport==null) { logger.debug("Loading..."); InputStream inStream = null; try { inStream = getServletContext().getResourceAsStream("/WEB-INF
-
Keyword import fails on non-ascii character
I recently tried to import a long set of keywords (about 4000 terms). i set up the file in excel and then tried to import the records. I kept getting this message: only text files encoded with ascii or unicode UTF-8 are supported when importing
-
Can anyone recommend a signal booster to enhance my Verizon iPhone4 phone and data signal in "fringe" areas? When camping in some areas of the Adirondacks in NY, I can only get one bar on my iPhone. Internet is extremely slow if at all. Can someone
-
Assigning search help (F4 functionality ) for recipient field in IW32
Hi, my requirement is to assign search help (F4 functionality) for recipient field in components tab of IW32. anybody help me to assign search help for it. same way i need to assign that in MIGO, MB21, MB1A goods recipient field.