Token authentication

Similar Messages

• P6WS "WSS header is missing from request. Can't do username token authentication."

  I am getting the error "WSS header is missing from request. Can't do username token authentication." when trying to connect with SOAP and use Token Auth. I can get Cookies to work just fine, but i need to be able to connect to both.
  testWebReference.Login clientLogin = new testWebReference.Login();
  testWebReference.LoginResponse clResponse = new testWebReference.LoginResponse();
  testWebReference.AuthenticationService authClient = new AuthenticationService();
  clientLogin.UserName = paUsername.Text;
  clientLogin.Password = paPassword.Text;
  clientLogin.DatabaseInstanceId = Int32.Parse(paDBI.Text);
  clientLogin.DatabaseInstanceIdSpecified = true;
  AuthenticationService service = new AuthenticationService();
  service.Url = proxy;
  service.SoapVersion = System.Web.Services.Protocols.SoapProtocolVersion.Soap11;
  service.Login(clientLogin);

  I uploaded an example of usertoken on My Oracle Support community.
  TestUserToken.zip
  V/r,
  Gene

• Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

  i am using a custom binding in the BTS Adapter with the following elements (similar to TransportWithMessageCredential with both the client and the server certs)
   encoding (soap11)
   https transport
  Security : CertificateOverTransport
  Problem: the request is sent successfully, but when i receive the response in BizTalk i get the following error
  System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. ,after turning on tracing in the WCF Trace the following error is present "Tokens of that type
  cannot be accepted according to current security settings. "
  Solutions tried
  1) Changed the security to MutualCertificate , this time request also fails with the following error message  The remote endpoint did not provide a domain name system (DNS) claim and therefore did not satisfied DNS identity 'xxxx.com'.
  This may be caused by lack of DNS or CN name in the remote endpoint X.509 certificate's distinguished name.
  Binding configuration
   <behaviors>
        <endpointBehaviors>
          <behavior name="EndpointBehavior">
            <clientCredentials>
              <clientCertificate findValue="XXXXXXXXXXXXXXX" x509FindType="FindByThumbprint" />
              <serviceCertificate>
                <defaultCertificate findValue="XXXXXXXXXXXX" storeName="TrustedPeople" x509FindType="FindByThumbprint" />
                <authentication certificateValidationMode="None" revocationMode="NoCheck" />
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
        <serviceBehaviors>
          <behavior name="ServiceBehavior" />
        </serviceBehaviors>
      </behaviors>
      <bindings>
        <customBinding>
          <clear />
          <binding name="XXXXXXXXX">
            <textMessageEncoding messageVersion="Soap11" />
            <security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
  requireSecurityContextCancellation="false">
              <secureConversationBootstrap />
            </security>
            <httpsTransport />
          </binding>
        </customBinding>
      </bindings>
  Thanks -Madhu

  Please refer to the similar discussion:
  http://social.msdn.microsoft.com/Forums/en-US/6a3d38ee-30ca-43fb-b906-6e95808df69d/cannot-find-a-token-authenticator-for-the-systemidentitymodeltokensx509securitytoken-token?forum=wcf

• Token authentication error

  When I try to open an app I get a token authentication error. What does it mean?

  Ah i feel like a bit of a fool. It had reset it but i didnt read what it said, and it actually wanted the current password. Its been a long day.
  Thanks for the help though :)

• RSA-Token Authentication WLC 5500

  I can configure "RSA Secure ID" or "Token" ti authenticate users in a WLAN in the Wireless LAN Controller 5500 series?
  That is possible??

  LeeJohns,
  We are testing this type of Authentication our components are:
  1.- Wireless LAN Controller 5508
  2.- LAP 1141
  3.- RSA Authentication Manager 6.1
  We are don´t have External Radius serves as Cisco ACS.
  We add the Managment IP Address of the WLC into "Radius Client" from the RSA Authentication Manager 6.1.
  The configuration of the WLC is:
  1.- Security / Radius / Authentication: IP Address of the RSA Authentication Manager.
  2.- WLAN / Layer 2 Security : 802.1X / AAA Servers IP Address of the RSA Manager.
  Configuration of the RSA Authentication Manager.
  1.- RSA Authentication Manager > Add Agent Host > Network Address: Managment IP Address WLC
  2.- In the RSA Client enter the same shared key entered in the WLC.
  The WLAN show the prompt : Enter Username and Password when the user try to connect to the Wireless Network, the user enter the username/password and the authentication failed.
  Is necesary the Radius Server ?
  Thanks

• Token authentication timeout

  I'm seeing some behavior I don't understand with token timeouts. My code creates a token with a 60 minute, 100 login limit:
  try
     ISessionMgr        sessionMgr        = CrystalEnterprise.getSessionMgr();
     IEnterpriseSession enterpriseSession = sessionMgr.logon(id, pwd, server, type);
     // Now create the login token
     ILogonTokenMgr logonTokenMgr = enterpriseSession.getLogonTokenMgr();
     token = logonTokenMgr.createWCAToken("", 60, 100);
  catch(Exception e)
     throw new LoginHelperException(e);
  I have a web front end that calls various services. All these services begin with an auth check that looks something like this:
  try
     if(token == null)
        throw new LoginHelperException("Missing token");
     else
        enterpriseSession = CrystalEnterprise.getSessionMgr().logonWithToken(token);
  I am not storing the enterpriseSession in my web session. I create a new one with the token for every request.  It's my understanding I should only have to create a new token after 60 minutes, or after 100 calls to logonWithToken(), which ever comes first. But what I'm seeing in practice is an auth exception after only a few minutes.
  2008-11-14 09:41:39,457 ERROR [http-8080-Processor24] (report_jsp.java:120) - Exception in report.jsp
  com.reporting.bo.exceptions.LoginHelperException: com.crystaldecisions.sdk.exception.SDKServerException: An error occurred at the server :
  Session ID is not valid.
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:An error occurred at the server :
  Session ID is not valid.
  The server supplied the following details: OCA_Abuse exception 10503 at [exceptionmapper.cpp : 65]  42436 {}
          ...Session ID is not valid. Original session not available for ONEOFF logon
  Am I misunderstanding how tokens work? I'd like for the token to be valid for more than 10 minutes.

  You're using the WCA token.
  Validity lifetime of a WCA token is tied to the originating EnterpriseSession that created it.
  Since the originating EnterpriseSession is going out of scope in your code, it gets GC'ed.
  When the CMS detects that the EnterpriseSession no longer exists, it invalidates all WCA tokens associated with it.
  Next time you try to use the WCA token, it fails.
  So either use the Logon Token - that uses a CAL each time you use it - or keep the EnterpriseSession live but make sure you log it off when you're done with it.
  Sincerely,
  Ted Ueda

• SGD with RSA Token Authentication - Is it all or nothing?

  We are investigating having RSA authentication in SGD, but we only want to force its usage for a subset of users. Based on what I can see in the docs and the screen its not clear if its all or nothing.

  We have the same question from a customer.
  Here is my suggestion:
  Have two sgd servers. Both are in one array. Because LDAP and RSA are global configurations, both sgd server cann handle loggins via these authorities.
  To prevent login via RSA in sgd1, disable the route to the RSA server.
  To prevent login via ldap in sgd2, disable the route to the LDAP server.
  The sgd2 should be the primary and the login of the admin Console, so DSI will work.
  Another thought with a dead end is: RSA via 3Party and http.conf preventing access from a network. This can work, but not with firewall traversal, because the apache sees only the localhost.
  Would be happy to have more suggestion about this.

• Custom Token authentication using OAM 11g

  Hi All,
  I have the following requirement: Authenticate a resource based on custom token if it is null or not. There is no need to map the token with an user record.
  Environment is all 11g.
  What is the best way to implement it? Is it possible to do it with just OAM 11g alone? Or does it require Oracle STS too? Please provide your inputs.
  Thanks,
  Mahendra.
  Edited by: 903004 on Jan 8, 2012 9:08 PM

  Can someone provide inputs on this? Please treat this as urgent.

• Security and authentication

  The bottom line is I don't know anything about either of
  these two areas. I've always been a client side interactive
  developer and designer, handing off the real backend work to
  developers in that field. FMS is finally plunging me into this
  area, as now I can apply my knowledge of ActionScript to the server
  side of things, and pull together some amazing stuff.
  How should I authenticate, say, a basic chat, so only logged
  in users can send a message? I can easily require login on the
  clientside, but that wouldn't stop spoofing and decompiling. Is the
  FMS communication encrypted? I could send username/password for
  each message based on the client input, and authenticat securly on
  the server against a serverside list, but that seems rather foolish
  in the event someone listens in on the clients messages, they would
  then see the username and password. But how else would it be
  done?

  FMS can use SSL just like an https server can, but it's not
  configured by default. You'd need to set up a certificate and
  configure FMS to use SSL. That said, unless you need to encrypt the
  chat (or other data/audio/video), you don't need to secure your FMS
  Really, all you need to to is authenticate once when the user
  connects. Here's what I like to do:
  1. Have the user log in via https (before connecting to the
  FMS app)
  2. Have the http side login process create a token (I like to
  use a random 50 character string) and store it in a database
  3. Pass the token back to the client in the response to the
  authentication request
  4. Connect to FMS, passing the token in the
  netconnection.connect arguments
  5. Before accepting the client, the FMS app calls back to the
  http server (using loadvars, netservices, or an xml object),
  sending the token in the request
  6 The http service checks the ticket, and returns a success
  or failure message. If the ticket is good, the service expires or
  deletes it so it can't be used again.
  7. The FMS app accepts/rejects the client based on the
  response from the token authentication request.
  So, the only time a password gets transmitted is when the
  client first logs in. That makes it easy to encrypt the sensitive
  data, and then just send the token (unencrypted) to the FMS server.
  Even if someone intercepts the token, it will be of no use to them,
  as it can only be used once.

• Unable to add security token for identity

  Hi all,
  I am trying to implement a web service with username token authentication. I have defined the ws -policies in the wsdl, and checked the Process Security Header checkbox in the proxy configuration. But when I invoke the proxy through test console and pass the full soap envelope , I am getting an "Unable to add security token for identity" error
  This is how the soap header looks from the request document part of the test console:
       <soap:Header>
       <wsse:Security>
       <wsse:UsernameToken>
       <wsse:Username>xxxxx</wsse:Username>
       <wsse:Password      Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyyy</wsse:Password>
       </wsse:UsernameToken>
       </wsse:Security>
       </soap:Header>
       <soap:Body>
  I have configured the user at alsb security configuration and added an acces policy stating that the proxy can be accessed only by user "xxxx"
  Please help
  -Atheek

  Mostafa ,
  This points to a misconfiguration of your security. Possible causes are:
  * There is not a valid RSA key to sign the SAML token with.
  * The SAML CredentialMapper is missing
  * There is no Relying Party (rp) configured for SAML Credential Mapper that matches your producer
  * The producer is using User Name Token and you have no configured the DefaultCredentialMapper to allow for UserNameToken.
  Good Luck,
  Nate
  Edited by: user650654 on Sep 9, 2008 4:31 AM

• Cisco ACS v4.1 - User Export incl. Authentication Method

  Hi,
  I wish to export a list of all our users, to include their group and more importantly, their password authentication method. We have a combination users that authenticate using both ACS internal database and also external RSA Secure ID database. Basically I need to identify all users who are NOT authenticating against Secure ID.
  I ran CSUtil.exe -u   , however this only gives me the user & group, doesn't list the authentication method per user.
  Thanks,
  Brian

  Brian,
  Unfortunately, CSUtil.exe will only list the users & group they are a member of. So the simple answer is no.
  If the goal is to set everyone to use token authentication, you could get export a list of all users with CSUtil.exe, then use the client import option to update database used for authentication of all users. Here is the url for documentation on this and other CSUtil.exe options.
  =====================
  Via Csutil
  Created a file in text format
  ONLINE
  UPDATE::EXT_SDI
  ADD::EXT_SDI:PROFILE:
  DELETE:
  csutil -i
  =====================
  If you feel adventerous, you could explore the contents of the dump.txt. by running csutil -d
  This file does contain the information you are looking for. However, there is no documentation or support available for reading or decrypt it.,
  Regards,
  Jatin
  Do rate helpful posts-

• Token Access to AS ABAP

  Hi,
  Some of our customers using CRM 2007 and need to know if it is possible to make end users to access CRM2007 applications with a Token Infrastructure.
  This is easy and lots of standard implementations exists for AS Java especially in Portal Scenarios, but I couldn't find any standart solution for an AS ABAP based system.
  As CRM2007 uses BSP based applications, Authentication is controlled with ICM, and my searches for a custom Authentication Mechanism for AS ABAP ended without success.
  The only option I can see to implement such scenario is to call CRM2007 applications from a NW Portal and implement Token Authentication over AS Java.
  Please let me know if you have such scenarios or solutions implemented
  Regards

  Hi,
  When you configure the ICM application using t-code SICF you can configure it to redirect to the JAVA AS system where the authentication module is installed (this doesn't have to be a portal NW AS). Then after sso2 ticket has been issued a redirect back to the ICM applicaiton is performed - the user doesn't see any of this, so it looks like they are being authenticated directly when they access the ICM application URL on ABAP AS.
  Products such as the one mentioned at https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter include the necessary login modules nad the servlet to perform the redirection.
  Thanks,
  Tim

• Simple Authentication with SMP 10.1 and FMS 3.5

  Good day all,
  I am looking to add simple authentication to the SMP player for use with FMS 3.5. I recently came across a technical paper published by Adobe titled, "Video content protection measures enabled by Adobe Flash Media Interactive Server 3.5". Within this document are three examples of user authentication with code samples. I am starting with the "simple" client verification using a unique token authentication key method first.
  I've noticed that SMP doesn't have any FMS security mechanisms built-in at least that I've been able to identify in the documentation or feature specs. Did I miss something? I am looking for assistance in getting started with adding this feature to SMP. So my question is where could I add the client side Actionscript within the SMP structure?
  I'd very much like to hear about others' experiences with adding security mechanisms to SMP used with FMS.
  Thank you.

  Andrian - Thank you for the quick reply. I'm gald SMP has support for the playback of protected content. Is there more documentation than this demo on this topic?
  I'll explain what I'm doing. I am implementing SMP as the default video player application used in online courses at the Savannah College of Art and Design. Identifying the player and implementing its use in our production workflow is the first step in a strategy to deliver a better video experience and leverage the scalibility and flexibility of SMP. On the back end integration with our FMS I have been asked to implement some user authentication. We don't need to re-auth the students as they have already been authenticated through our LMS. What is desired is each player instance authenticates with our server to prevent stream ripping.
  The simple user token authentication key example from the linked document seems to best suit this intial need.

• ACS 4.2 with multiple RSA secure ID token servers

  Hi all,
  I have a question which I couldn't find an answer to so far.  Below is a very brief explaination of what I have and what I need to do.
  What I have:
  1- An ACS 4.2 server installed on win 2003 with RSA agent installed.
  2- A RSA Secure ID Token Authentication manger 7.1
  The problem:
  Due to lost RSA master password I am unable to back the DB up and upgrade RSA AM 7.1 to 7.1 SP4.
  So far all the solution I have found and been told to do by RSA support have not enabled me to recover the lost password.
  What I want to do:
  I want to install a fresh copy of RSA AM 7.1 SP4 on Win 2008 R2
  Since I can't make a DB backup from the running RSA, once I install the fresh copy I will migrate users one by one
  My question:
  This is a very busy production environment and users can't tolorate down time at all.
  I need to keep everything running, I need to know if it is possible to have 2 RSA data sotres setup within ACS 4.2 or not?
  And if so, will migrated users to the new RSA installation be still able to authenticate or not?
  Can ACS send multiple authentication request simultaneously or not? And what happenes if a user is present in both instances of RSA, old and new?
  Thanks,
  Khash

  I have this setup and working. Set up an external database connection on the ACS for a RADIUS server (not RSA) and setup your RSA server with the RADIUS shared secret. Check IP connectivity between both,and make sure that the RSA server is the first database to be queried. Here you are just using Radius to pass through the auth from the ACS to the RSA server.

• Server to Server authentication

  Currently I'm developing an SharePoint application to access web service running on another server. The web service is configured using SAML token authentication. I plan to configure an server to server authentication between the SharePoint server
  and the web service server.
  I searched from internet and find several documents talking about how to configure server to server in SharePoint 2013. But I didn't find anything about how to implement the logic to generate access token and make actual call... Is there any guideline on
  this? Thank you!

  Hi,
  According to your post, my understanding is that you want to know how to generate access token.
  In the high-trust authorization system, the remote component of your app for SharePoint creates the access token. If the remote component is using managed code for its server-side code, most of the coding work for creating the tokens
  is done for you in the SharePointContext.cs (or .vb) and TokenHelper.cs (or .vb) files that are included in Office Developer Tools for Visual Studio.
  There is an article provides information about how your code creates and passes the access token, you can refer to it.
  http://msdn.microsoft.com/en-us/library/office/dn762439(v=office.15).aspx
  Thanks,
  Jason
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Jason Guo
  TechNet Community Support