Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

Similar Messages

• How can I configure ECC6.0 to use LDAP (Active Directory) password

  We're setting up an integrated authentication between the ECC 6.0 and the LDAP server, in our case the Microsoft Active Directory. We have some users that can't use WebGui because some features, that only run in the SapGui. We have already configured UME in the Sap Portal accessing directly the ADS server, and Sap Logon Ticket from Portal to ECC. Everything is ok to access the WebGui and SapGui by the Portal with the Sap Logon Ticket. However it demands that all users make the authentication previously in the Sap Portal. Is there another scenario only with SAP tools, for example using Sap Logon directly to the Active Directory. Obs.: Our entire sap servers are UNIX.

  I had already read all these notes.
  In the last week, I tried to configure the UME in our PI/XI environment to access the LDAP. As the result, the ABAP stack was perform the authentication perfectly above the LDAP. However I had some problems with the Java stack and I comeback the back. I will try it, in the next week again.
  It's what I'd like to ECC environment. Anyone has already configured the UME in an ECC? Install a basic Java stack without all Java components only the UME in order to make this integration. If it’s possible I’ll very appreciate any documentation.
  Other problem is the limitation of datasource in the UME, I didn't remember exactly but I guess that is only 5 (Authorization in the ECC, BI, SolMan, PI, APO, CRM, LDAP, Portal, etc). If it's possible I'll group the environments in different UME managers. Forget this paragraph lets focus in the integrated authentication in this thread after that authorization.

• How to authenticate Username and password in MVC using Azure Active Directory

  Need a sample application where in need to authenticate user entered logindetails using Azure Active directory.

  Hi,
  Kindly go through beneath article which helpful to understand the procedure.
  How to Authenticate Web Users with Azure Active Directory Access Control
  http://azure.microsoft.com/en-in/documentation/articles/active-directory-dotnet-how-to-use-access-control/
  Developing ASP.NET Apps with Windows Azure Active Directory
  http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory
  Adding Sign-On to Your Web Application Using Azure AD
  https://msdn.microsoft.com/en-us/library/azure/dn151790.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• SharePoint 2013 profile service account requirements when using "Use SharePoint Active Directory Import" option

  Hi All,
  I am trying to configure SharePoint Profile service. We would like a straightforward profile import from Active Directory.
  On the "Configure Synchronization Settings" page, we have chosen the option "Use SharePoint Active Directory Import" option.
  We have created a connection to the Active Directory using Configure Synchronization Connections page. We have specified the account that would be used for the import process.
  Question:
  I would like to confirm whether the account configured for the profile import need any special privileges when using "Use SharePoint Active Directory Import" option ?
  Thanks,
  Saurabh

  Grant Replicate Directory Changes permission on a domain
  To do this please follows below procedure
  On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
  In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
  On the first page of the Delegation of Control Wizard, click Next.
  On the Users or Groups page, click Add.
  Type the name of the synchronization account, and then click OK.
  Click Next.
  On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
  On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then clickNext.
  On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on
  Windows Server 2003), and then click Next.
  Click Finish.
  Thanks & Regards
  ShivaPrasad Pola
  SharePoint Developer 

• Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

  We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
  The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
  Additional technical information:
  Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
  Timestamp: 2015-04-14 12:27:20Z
  AADSTS50020:
  User account '[email protected]' from external
  identity provider 'live.com' is not supported for application
  'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
  be added as an external user in the tenant. Please sign out and sign in
  again with an Azure Active Directory user account.
  It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

  I assume you created a web application using VS2013 which uses the WS-Federation protocol.
  The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
  For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
  The user will need to either sign-out or use an in-private session in the browse.
  If you switch to openID connect(sample at
  https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

• Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication

  I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.
  What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.
  Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?
  Any suggestions or help is greatly appreciated. Thanks,

  Hi g-pirtle,
  Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.
  I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.
  Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...
  Thanks again,

• Web Service Authentication using Microsoft Active Directory

  Hi
  Is there a way to create Oracle Java Web Services that requires authentication using Active Directory?
  Regards,
  Néstor Boscán

  If you use the SOA Suite the Oracle Web Service Manager is included in there. Using this you can add steps that will authenticate against an AD.
  cu
  Andreas

• Active Directory synchronization working, authentication not on CUBM BE5000 8.6(1a)

  I successfully set up Active Directory synchronization between my CUCM BE5000 appliance running 8.6(1a) and our Windows 2008 Server Active Directory.  Users are replicating successfully, but authentication is not working even though I am using the same LDAP manager distinguished name and password for both.  I have a suspicion to the cause of this problem but for the record, the following is my relevant configuration:
  System/LDAP/LDAP System:
  LDAP Server Type Microsoft Active Directory iPlanet or Sun ONE LDAP Server OpenLDAP Microsoft Active Directory Application Mode
  LDAP Attribute for User ID userPrincipalName sAMAccountName mail employeeNumber telephoneNumber
  LDAP Server Type: Microsoft Active Directory
  LDAP Attribute for User ID: userPrincipalName
  System/LDAP/LDAP Directory:
  LDAP Configuration Name: bgctnv.local
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: DC=bgctnv,DC=local
  LDAP Server Information: bgctnv.local, port 389 (to query any domain controller in DNS; I have also tried specific IP addresses)
  System/LDAP/LDAP Authentication:
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: LDAP user search base is formed using the User ID information (pre-populated, I cannot change this)
  LDAP Server Information: bgctnv.local, port 3268
  All of my Active Directory users are now populated and active under End Users.  However, I am not able to log into /ccmuser among other things using my valid domain credentials.  I am a super user as well as a standard end user.
  Curiously, invalid usernames (userPrincipalName in my case) return the error "Log on failed - Invalid User ID or Password" while a valid username, with or without the correct password, returns only "Log on failed."  That seems to imply that some part of the authentication or LDAP bind is taking place.
  Here's the catch.  The base domain here is bgctnv.local while we use bgctnv.org as a valid and acceptable alternative UPN suffix in Active Directory.  Every Microsoft and every third-party program I have used will accept [email protected], but I'm beginning to think that CM will not, or is having some sort of translation issue.  I read that alternative suffixes can cause problems in Active Directory forests with multiple trees, but this is a vanilla, single domain environment.
  I don't even know where to look to debug this issue.  Has anyone seen this before or can anyone tell me where to look for logs?
  Thanks,
  John

  I found the following:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/directry.html
  As mentioned in the section on LDAP Synchronization, in order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM. When the user ID is the UPN, the LDAP authentication configuration page within Unified CM Administration does not allow you to enter the LDAP Search Base field, but instead it displays the note, "LDAP user search base is formed using userid information."
  This may help in some situations where there are multiple trees in an AD forest, but it is definitely not the solution.  Even with multiple trees, it is common to use alternative UPN suffixes.  Nothing in AD requires or even recommends that you exclusively use your AD domain root as the UPN suffix.
  For example, company.local may use company.com as an alternative but primary UPN suffix to provide simplicity for users.  Users can then achieve more broad SSO capabilities by using their familiar email credentials when authenticating for company.local services.
  When using UserPrincipalName as the LDAP synchronization attribute for the CM User ID, the configuration requires that the search base for authentication be derived from the UPN suffix, regardless of whether it is a single domain or multiple trees within a forest.  This makes it impossible to authenticate by UPN unless your UPN is explicitly your root domain name.  From the example above, CM would try to bind [email protected] against DC=company,DC=com instead of the correct DC=company,DC=local.
  The logical solution would be to allow the administrator the option.  Why not have a choice of whether to generate the user search base from the userid (UPN) information, or be able to specify the search base as well like it allows with any other synchronization attribute?
  Would this be a feature request, bug report, or neither?  I'd really appreciate it if Cisco considered this but I don't know the proper channel.

• APEX_LDAP.AUTHENTICATE - using Microsoft Active Directory

  Application Express 4.1.1.00.23
  Internet Explorer - 8
  Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
  Hi very new to Apex and trying to get the authenticaqtion to work against our active directory. I have setup an authentication scheme for my application chossing the schema type as LDAP Directory...my settings are as follows:
  Host : ****
  Port : 389
  Use SSL: No SSL
  Distinguished Name (DN) String : domain\%LDAP_USER%
  Use Exact Distinguished Name (DN) : Yes
  This works perfectly and authenticates the user against active directory. The problem is when I try do the following in the database as I really want to setup a custom authentication scheme, it just does not work.
  Begin
  IF apex_ldap.authenticate(
  p_username => 'testusername',
  p_password => 'testpassword',
  p_search_base => 'domain\%LDAP_USER%',
  p_host => '*****',
  p_port => 389) THEN
  dbms_output.put_line('True');
  Else
  dbms_output.put_line('False');
  End If;
  End;
  No matter what I do this always returns false. I have created a function based on same code and created a custom authentication scheme that calls the function but I always get a false. Not sure why it works one way and not the other. Also would really appreciate if someone could help me get the code above to work or help correct it.
  I have looked through the forum and tried many different search base strings but nothing seems to work.
  Regards
  Ash

  Hi Ash,
  Microsoft AD allows "domain\%LDAP_USER%" instead of a real distinguished name (DN), but this does not work with apex_ldap.authenticate. The authenticate function tries to create a DN from username and search base. It does not substitute the "%LDAP_USER%" pattern with the username. Based on the parameters I see in your example, it would try to authenticate with "cn=testusername,domain\%LDAP_USER%", which is clearly wrong, hence the authentication failure.
  What you could do is use another package, although it's not in the official API docs, like this (untested):
  Begin
      IF wwv_flow_custom_auth_ldap.authenticate(
             p_dn => 'domain\testusername',
             p_password => 'testpassword',
             p_ldap_host => '*****',
             p_ldap_port => 389)
      THEN
          dbms_output.put_line('True');
      Else
          dbms_output.put_line('False');
      End If;
  End;Regards,
  Christian

• How do i use an active directory group for vpn and not all user

  hi all,
  i have an asa 5515x...
  how do i use a particular group in active directory to have vpn/anyconnect access?  right now i believe it's for all user on my current config,
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  !integrate with active directory
  aaa-server LDAPSERVERS protocol ldap
  aaa-server LDAPSERVERS (vlan192) host 10.0.0.2
  ldap-base-dn dc=company,dc=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password 12345678
  ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com
  server-type auto-detect
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.
  thanks for any comment you may add.

  The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.
  DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that.

• Using the Active Directory login information by UNIX

  We have 3 servers in our organisation: W2K + Exchange - members of one DOMAIN and Sun server with Solaris 8. All our clients have their login and password for the DOMAIN and the according the security policy they have to change their password periodically. Only a part of our clients have their login on the Solaris (they work using X-Terminal from their PC ).
  My question is how can I receive and update automatically the login information on UNIX(Solaris) after updating on the Active Directory . Or how can I use the login information of the Active directory by Solaris

  Are the configuration reports with the 0.0.0.0 being printed directly from the printer?  A 0.0.0.0 address indicates the printer is not actually on the network (or at least not getting DHCP information from the router).  The Print and Scan Doctor should not have been able to print to it unless it happened to be connected by a USB cable as well.
  What brand and model is the router?
  Is the wireless light a solid blue light or a flashing blue light?
  You mentioned an Active Directory Domain Services error message.  Outside of corporate networks, this is not an error message you should get.  I suspect there might be a deeper software issue at fault.  Please provide the exact steps you are using to add the printer to generate that error message.
  ↙-----------How do I give Kudos?| How do I mark a post as Solved? ----------------↓

• SSO using Windows Active Directory but without EP or Java stack

  Good morning and thank you in advance for your help.
  The question is:
  our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
  I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
  Best regards
  Max

  Hi Willi,
  It won't be that easy to understand each other... as my english is not that good either
  Most of the points introduced in the SAP help link are automatically performed by sapinst.
  Almost all my customers running on MS are not using an AV, and neither get into troubles...
  but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
  Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
  Best regards
  SAP on SQL General Update for Customers & Partners April 2014
  10. Do Not Install SAPGUI on SAP Servers
  Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
  To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
  “A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 
  SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
  SAP on SQL General Update for Customers & Partners September 2013
  Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 
  The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
  Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

• Active Directory cn field not updated from sap HR using ldap.

  Hi,
  Apologies if this is in the wrong forum area.
  I am using the LDAP facility to create and modify Active Directory records from sap HR. Initially, the name field cn that was coming across into AD was in the format of the logical system and employee number, eg, RD4CLNT22000000711.
  I then implemented the BADI HRLDAP_ATTRIBUTES which then changed this name field cn in the active directory listing to the format; surname, forename.
  It works fine when I create a new user, however the problem comes when I update the persons name in the sap hr module. The data that comes across into Active Directory shows the change to the persons surname sn, forename and displayname fields is there but the cn field is still showing as the previous name.
  In short, when a new user is created, the cn field in active directory is correct
  (surname, forename) but when the employee’s name is modified, that change is not brought across to the cn field even though the surname, forename and displayname fields are updated correctlyon AD.
  We are on release 4.70.
  Anyway, if anyone could help I would be very grateful.
  Thanks
  David

  Hi
  The problem it is causing us is that the cn field is incorrect and does not mirror the change in sap HR, therefore the Active Directory entry for the employee is not totally accurate.
  When an employee changes their name in SAP HR - usually their surname, we would then want to update the employee’s active directory account to show this change and this includes the cn field also. At the moment the firstname, lastname fields do get updated with the change so we would want the cn field to show this as well otherwise the cn field would be incorrect and not match up with the employee's AD firstname & lastname fields.
  Dave

• EUS password authentication in sql developer failing with username/password

  We have recently changed to use Enterprise User Security (EUS) for our client authentication (password global authentication).
  This is working fine but we are encountering an issue with SQL Developer whereby we can't logon using our EUS details, it simply returns the following on the logon screen:
  Status : Failure - Test failed: ORA-01017: invalid username/password; logon denied
  Logging on via sql plus client and server software and other 3rd party tools like pl/sql developer works correctly.
  It appears to be an issue with sql developer itself.
  We are using the latest Production release of sql developer 2.1
  Does anyone have any ideas?
  This is an issue for
  Edited by: david butler on Jan 14, 2010 10:45 AM

  Further to this, I have now found a suitable resolution to this that doesn't require an external client.
  There is a jdbc setting that will allow you to use EUS password authentication.
  Add the jdbc line option (below) in the sqldeveloper.conf file (backup the sqldeveloper.conf file first).
  AddVMOption -Doracle.jdbc.thinLogonCapability=o3
  The sqldeveloper.conf file can be found wherever you have installed sqldeveloper, under <INSTALL_HOME>\sqldeveloper\bin\sqldeveloper.conf.
  After you add this option, restart SQL Developer and you should be able to use your EUS username / password to authenticate via SQL Developer.

• Turn off password protection for digital signature

  I have an employee who set up his electronic signature a while back and he can't remember the password to it, and therefore he cannot sign a PDF form digitally now. How can he turn off the password without having to remember his old one?

  If that was allowed, what would the point of a password be in the first place?
  However, you don't say how the user is signing.
  If using EchoSign follow that service's process.
  If trying to access a signing certificate (digital ID), start over by creating a new digital ID (self signed).
  If you've purchased digital IDs from a vendor, ask the PKI admin.
  hth,
  Ben