Tta4.2 AD authentication

Similar Messages

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• Authentication - multiple domains with multiple accounts

  Dear All,
  Consider an environment where a user, Joe Bloggs, has an account on two Windows domains:  DOMA and DOMB.  DOMA is a domain that all users in the organisation are members of.  DOMB is a domain used by a smaller subset of users.  The user's
  machine is part of the DOMB domain.
  I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.  
  So far, I've thought of the following solutions:
  1.  Build a trust between the two domains.  Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles.  Also, DOMB is likely to be deprecated in the future.
  2.  Use WorkPlace Join.  Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
  I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
  Any ideas?  Or, am I completely mad?!
  Thanks in advance.

  1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
  An ADFS trust might be another option, although that increases your deployment footprint and complexity.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Error while authenticating a user

  Dear all,
  Hope you all are doing well.
  Production issue :
  When an user tries to login with his username and password. He is getting error message "INTERNAL ERROR OCCURED".
  And the standard RFC which i'm using for authenticating user is  SUSR_LOGIN_CHECK_RFC
  CALL FUNCTION 'SUSR_LOGIN_CHECK_RFC'
    EXPORTING
         bname                                 = ip_empid
         password                             = ip_password
  EXCEPTIONS
         wait                                     = 1
         user_locked                          = 2
         user_not_active                    = 3
         password_expired                 = 4
         wrong_password                   = 5
         no_check_for_this_user         = 6
         password_attempts_limited    = 7
         internal_error                         = 8
  OTHERS                                    = 9.
  I want to know what is the meaning of this internal error ? something is going wrong with the standard RFC which I am referring to ? Some one please help me out..
  Thanks in advance.

  Hi Syed,
  Really need more of a context to your problem.
  1. You've posted in the SSO forum. A SSO problem or a normal SAPGUI logon problem ?
  2. You say .... "And the standard RFC which i'm using for authenticating user is  SUSR_LOGIN_CHECK_RFC" .... Meaning what ??? you are using a home developed solution ?
  3. Problem affects one user or all users ?
  4. Backend version and kernel pl level please.
  Cheers,
  Amerjit

• Authenticating test applcation in OAM is not working

  Hello OAM experts, can you please help to figure out why my test application is not getting authenticated by OAM.
  I have installed IDM for fusion application and SSO login is working for all admin consoles such as WLS, EM, OAM, OIM. I have deployed test application to OAM server itself to test the authentication of protected resources.
  Host identifier is already there which was create while configuring my IDM for fusion applications. I created new application domain , created resource for /text/*, created authentication policy and used LDAPScheme for authentication, created authorization policy and defined constraints by adding a group OAMAdministrators ( just for testing purpose). I also added response in the authentication policy.
  Then I have configured admin.conf of OHS server to redirect http://webhost1:7777/test to oam server host and port. It is getting redicted but not to the SSO login page. The URL still shows http://webhost1:7777/test and executes the test page and displays test application. It should have been redirected to SSO login page though OAM.
  At this stage I have no clue what did I miss. As I said, when I login to wls console, it gets redicted to SSO login through OAM login page and then while accessing OIM, it directly takes me to OIM application since the user has privileges and also OAM page without logging in again.
  But why my test application is not redirected to OAM authentication page ?
  Any help is grately appreciated.
  thanks
  Edited by: Jyothi on May 3, 2012 3:25 AM

  Hi, I am having the same issue. I am new to all this OAM stuff. I am using OAM 11g with a 11g Webgate configured. When I try to access the OAM Console the SSO setup does work and kicks-in and redirects me to the OAM server's integrated login page. But my test application that lives on an app server installed on a separate machine is never challenged for their credentials. As the documentation says I have CLIENT-CERT defined as the auth-method in my login-config inside my applications web.xml file.
  I think I am not using the right providers. What I want is Identity Assertion and also OAM authentication (if Identity Assertion fails Authentication should kick-in and redirect to challenge login page). So I have an OAMIdentityAsserter and an OAMAUthenticator set-up in addition to the Default Weblogic Identity Asserter and Default Weblogic Authenticator.
  I have tried everything but, the login redirect never happens. If I use the DefaultAuthenticator along with OAMAuthenticator (no OAMIdentityAsserter) and define BASIC in my login-config in web.xml then the Default Weblogic Authenticator pops up a dialog box which does let me enter credentials and when I do it does make the trip to the OAM server and works flawlessly. But I don't want basic authentication and I don't want a dialogue box to pop-up. I want the OAM server to redirect me to it's built-in login page just like it does for the OAMConsole itself which is being protected by the out of the box 10g IAMSuiteAgent Webgate. Which, as you know, comes pre-installed.
  Please let me know your configuration and the providers you have set up and how you were able to make the OAM server challenge you for credentials when trying to access a protected resource/application.
  Thank You.

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• Intermittent AD Authentication failures in ISE 1.2

            Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
  Thanks
  Jef

  Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
  When you say Multicast to you AD...how did you check that? We do use multicast.

• Authentication Combination in ISE 1.2

  Is it possible to have dual authentication using workstations auth certs and Windows domain credentials for authentication in ISE 1.2?                  

  Hi Kevin,
  This would be a client side configuration.
  What type of authentication is this?
  VPN? wired or wireless dot1x?
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Can we add new logical system in Entitlement tab in SAP Authentication.

  Hi ,
  We already Installed and configured sap integration kit and every thing works fine. My question is as of now we connected our sap BW Dev system  to BOBJ but we would like to connect to BW Prod System to same BOBJ System. What are the steps we need to follow to do this.
  Can we just add the new logical system in entitlement tab of sap authentication in BOBJ 3.1? and import the roles and login to BOBJ USING THE Newly added SYSTEM Credentials.  Thanks in Advance.
  Thanks,
  SK.

  Hi Ingo,
  Thanks for the information.
  Are there any specific steps you need to follow when you are adding one more system to sap authentication. can you please give the steps we need to follow to setup this in right way. Thanks in advance.
  Is there any thing we need to configure on sap side other than sap logon ticket parametre. If you can please provide the steps it will be great. Thankyou very much In advance.
  Thanks,
  SK.
  Edited by: Vallabhaneni SK on Jul 14, 2009 8:53 AM

• Data Federator authentication modes

  In Data Federator (3.0 SP1 or previous), Is there any authentication mode similar to AD/LDAP in BOE?
  What are the options available for dynamic logon, while connecting to a database via JDBC in the DF Data source definition screen?
  Thanks
  Tiji

  Hi Tiji,
  Connecting to Data Federator using BOE applications
  In Data Federator XI 3.0 SP1 and previous versions the only way to connect to Data Federator is to provide a user name and password. Data Federator manages its own repository of users.
  Using Universe Designer, you can create a Data Federator connection with two authentication modes:
  - Configured Identity: the same user name and password is used for all consumers of the connection
  - Database Mapping: the DBUser and DBPassword associated to the BOE user are used to connect to Data Federator.
  There is no support for single sign on.
  Creating a datasource using Data Federator Designer*
  When you register a new datasource using Data Federator Designer you have three authentication modes supported:
  - Configured Identity: the same user name and password is used to connect to the database (for all DF users).
  - Principal Mapping: a mapping can be defined between a DF user and data source credentials. This is done through creating and managing "login domains".
  - Caller Impersonation: the DF user and DF password is used to connect to the data source.
  The Principal Mapping mode is pretty similar to the feature in BOE called Database Mapping except that you are not restricted to a single DBUser/DFPassword pair whatever data source you want to access. This is more flexible. Note that there is no UI in Administrator to manage login domains. You have to run built in stored procedures in the query tool.
  Hope this helps,
  Mokrane
  Mokrane Amzal
  Software Development Manager
  SAP BusinessObjects Divison

• Send email from OWB with authenticated SMTP server (AUTH_LOGIN)

  Hi all,
  I want to send email from Oracle Warehouse Builder 11.2.0.2 using a SMTP server with basic authentication (AUTH_LOGIN).
  I've created an ACL for OWBSYS user according to note ID 1229769.1 in support.oracle.com.
  But, I need to configure again the ACL to connect to the SMTP server using user and password.
  I read the article in metalink, *How to Send an Email Using SMTP over an SSL Connection [ID 1323140.1]*+
  but I don't know how can I configure again the ACL for use in OWB.
  How OWB is able to authenticate with the SMTP server?
  Thanks!
  Maximiliano.

  Duplicate -
  How to send email from OSB with Mail server that requires SSL or STARTTLS
  Regards,
  Anuj

• Mac Adobe Flash Player not supporting Web Proxy Authentication

  Anyone else got an enterprise network where you use web proxies with web authentication and no traffic allowed out except through the proxies?
  You may need to be in the UK for this, but try accessing BBC iPlayer content - http://www.bbc.co.uk/iplayer and you should discover that the content won't play. the error says "This content doesn't seem to be working. Try again later.". The content will never work as the Mac version of Flash (currently 10.1.53.64) is not able to respond to web proxy authentication requests. The BBC use various streaming server which are randomly selected when a user starts a stream and they have no DNS. Just IP addresses. They don't publish a list for security reasons. So it is almost impossible to exempt all their servers from authentication.
  I've logged a bug with Adobe. If you have this issue too, please add a comment and vote so that they can begin to grasp the impact of this problem:
  https://bugs.adobe.com/jira/browse/FP-5161

  I have the same issues in Australia trying to access flash content from the ABC website. The strange thing is the content will play if your leave the browser open for 5min.
  After several packet data captures we identified that it has to do with the amount of time it takes the Mac timeout from the proxy before it plays the video content.
  No solution yet.

• SAP Business One Integration Services Authentication Failed

  Dear ,
  ALL SAP forum members,
  Iam Using SAP Business One 8.81 PL 06, Micorsoft SQL 2008 R2
  In SLD B1DI and  JDBC, the connections were tested successfully.
  Whenever I log into SBO, I am getting "SAP Business One Integration Services Authentication Failed" error message. I did extensive research on all possible SBO documents dating 1 year back especially in B1ic Troubleshooting Document (New and Old) and searched the length of the SBO forums, but I could not a solution.
  I uninstalled and reinstalled the B1f package many a time. The integration services we re also restarted many times and the connections were all tested successfully. Firewall, AntiVirus also checked.
  In the B1f, in the Monitoring Window, the login is "Ok" but the AuthCheck is "Failed". I checked Authent.Monitor->Authentic Info  and I found the following message under Action message "Wrong Usrname and Password".
  I debugged and i found again "/com.sap.b1i.vplatform.scenarios.authen/sap.Xcelsius/Authenticate_Check.bfd
  But could not understand much of it.
  But i could go no further. The experts are requested to suggest their solutions, If any, to me as Iam stuck in this phase for the last 3 week
  I hope some experts will guide me over this issue
  Thanks and regards
  Ashish Gupte

  Hi Konstantin Ryahovsky
  Thanks for your reply. My problem is solved.
  And frankly speaking i dont know how it was solved. I have not uninstall, install ,not even i had restarted the server also.
  only change i did in SLD >> Maintainance >>> cfg Runtime >>>> Put server IP address instead of server Name and restarted the services.
  Thanks & regards
  Ashish Gupte

• Log on to Infoview with SAP authentication

  Hi Gurus ,
  Please can some one provide me documentation , to configure , Infoview with SAP authentication .
  I have R/3 system where i have a datasource and then one Remote cube in BW . On the cube developed a BEx Query  . I want to log into Infoview using SAP authentication .Now, i am able to login into Infoview using Enterprise as authentication .
  Thanks ,
  Madhu .

  Hi Madhu,
     You can go to help SAP and download the BusinessObjects SAP Kit manual, here is the link for SAP BusinessObjects products.  [http://help.sap.com/content/bobj/bobj/index.htm]
    Link for BusinessObjects XI Integration for SAP Installation Guide (XI3.1SP2) [https://websmp105.sap-ag.de/~sapidb/011000358700000843912009E/xi31_sp2_bip_sap_install.pdf]
    Link for BusinessObjects XI Integration for SAP User's Guide  (XI3.1SP2) [http://help.sap.com/businessobject/product_guides/boexir31SP2/en/xi31_sp2_bip_sap_user_en.pdf]
  I hope this help you.
  Best regards,
     Fede