User authentication in a transparent deployment

Hi all,
Just wondering, if I don't want to have to change anything on my browser in terms of proxy settings, is there any way for me to set up IronPort so that I can build policies per user (with Active Directory)?
Basically I want policies as granular as possible and don't want to touch the end users. I want everything to be invisible to the end users.
Also, I just want to know if it can be done...you don't have to get into any gory details. If you can point me to a guide or something that can further explain it then it'd be good too. I checked the User Guide but I couldn't find anything =/
Thanks much!
Cheers,
Xavier

Hello Xavier,
The WSA process the configuration from top > down, and will first try to match an identity. GUI > Web Security Manager > Identity.
Once it found the identity, for http, it will look for access policy that applies to it > GUI > Web Security Manager > Access Policy .
So you configure an access policy you, where you will be specifying the identity you previously configured, and further drill down to groups and even down to user.
I hope this answers your query.
Regards,
Eric

Similar Messages

User Authentication in Web Dynpro Java

Hi guys,
I was just wondering how user authentication can be achieved in WDJ? In Web Dynpro ABAP this comes for free when you launch an application. However, in WDJ we can deploy and call the URL without any authentication at all. Is there a way to configure this or do we really have to code this? Thanks! Generous points will be awarded!

Hi Alex,
check this links,
Re: User Authentication in Web Dynpro Application
Authentication of Web Dynpro
Using Web Dynpro authentication for a Web Service call
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/dd48d990-0201-0010-92a3-c3ed7e9fd244
http://help.sap.com/saphelp_nw04s/helpdata/en/04/ee8b8b0d23b746854897adc5611c1d/frameset.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/8304e990-0201-0010-ed8b-d978f1e67b1e
Regards,
vino

CE 7.2 NWDS wdp ws client user authentication error

Hello CE 7.2 experts !
I am running a CE 7.2 sp 01 env with NWDS. In my landscape I have some webservices running on PI 7.1.
I am trying to develop a webdynpro webservice client. When run gets user authentication errors.
I have configured the Service Groups, provider systems, http destinations etc for this webservice.
After I have successfully build and deployed the wdp app I am getting error on the wdp gui screen like this:
Exception on execution of web service with WSDL URL 'http://xxxxxxx.lxx.xxxx.xxx:50000/dir/wsdl?p=sa/595aaad7bedb3cf89546e4651ea9954d' with operation 'GetBudgetRequest_out' in interface 'GetBudgetRequest_out'
And in log trace:
Invalid Response code (401). Server <http://xxxxxxx.lxx.xxxx.xxx:50000/XISOAPAdapter/MessageServlet?senderParty=&senderService=SLF&receiverParty=&receiverService=&interface=GetBudgetRequest_out&interfaceNamespace=http%3A%2F%2Fsfso.no%2Fagresso%2Fslf> returned message <Unauthorized>. Http proxy info: none
[EXCEPTION]
com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException: Invalid Response code (401). Server <http://xxxxxxx.lxx.xxxx.xxx:50000/XISOAPAdapter/MessageServlet?senderParty=&senderService=SLF&receiverParty=&receiverService=&interface=GetBudgetRequest_out&interfaceNamespace=http%3A%2F%2Fsfso.no%2Fagresso%2Fslf> returned message <Unauthorized>. Http proxy info: none
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.handleSOAPResponseMessage(SOAPTransportBinding.java:561)
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call_SOAP(SOAPTransportBinding.java:1316)
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.callWOLogging(SOAPTransportBinding.java:952)
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call(SOAPTransportBinding.java:907)
at com.sap.engine.services.webservices.espbase.client.dynamic.impl.DInterfaceInvokerImpl.invokeOperation(DInterfaceInvokerImpl.java:76)
at com.sap.tc.webdynpro.model.webservice.model.WSGenericModelClassExecutable.execute(WSGenericModelClassExecutable.java:73)
at com.sap.tc.webdynpro.model.webservice.gci.WSTypedModelClassExecutable.execute(WSTypedModelClassExecutable.java:49)
at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.SLF_GetBalanceCustom.executeRequest_GetBudgetRequest_Out(SLF_GetBalanceCustom.java:189)
at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.wdp.InternalSLF_GetBalanceCustom.executeRequest_GetBudgetRequest_Out(InternalSLF_GetBalanceCustom.java:153)
at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.SLF_GetBalanceCompView.onActionSendReq(SLF_GetBalanceCompView.java:187)
at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.wdp.InternalSLF_GetBalanceCompView.wdInvokeEventHandler(InternalSLF_GetBalanceCompView.java:165)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:142)
at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:75)
at com.sap.tc.webdynpro.clientserver.phases.ProcessingEventPhase.doHandleActionEvent(ProcessingEventPhase.java:159)
at com.sap.tc.webdynpro.clientserver.phases.ProcessingEventPhase.execute(ProcessingEventPhase.java:94)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequestPartly(WindowPhaseModel.java:162)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doProcessRequest(WindowPhaseModel.java:110)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:97)
at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:514)
at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:55)
at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.doExecute(ClientApplication.java:1652)
at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.doProcessing(ClientApplication.java:1466)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doApplicationProcessingStandalone(ApplicationSession.java:884)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doApplicationProcessing(ApplicationSession.java:856)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:343)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:315)
at com.sap.tc.webdynpro.serverimpl.core.AbstractDispatcherServlet.doContent(AbstractDispatcherServlet.java:87)
at com.sap.tc.webdynpro.serverimpl.wdc.DispatcherServlet.doContent(DispatcherServlet.java:76)
at com.sap.tc.webdynpro.serverimpl.core.AbstractDispatcherServlet.doPost(AbstractDispatcherServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:38)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:400)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:203)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:438)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:427)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:80)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:268)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:54)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:42)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:447)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:264)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:115)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:96)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:315)
Any help / hits are appreciated.
Hope to get a prompt solution.
best regards,
Ajeet Phadnis

Hi,
I hope please upgrade SP01 to SP05.
Please look at these two forums
[forum1|Error executing webservice in BPM; and [forum2|Call to sr.esworkplace fails;
Hope this is help full for u
Regards
Vijay

802.1x for user authentication setup questions

Hi,
I am fairly new to the 802.1x realm, I have read several documents on how the setup is accomplished and I was hoping someone could validate the setup I have in mind to make sure I am on the right page. Any comments or assistance would be greatly appreciated, I do not have the infrastructure to test everything before hand.
I have a remote site with a switch and router. I want to authenticate users using their AD credentials. At the datacenter I will have ACS 5.2, a Windows 2008 enterprise server for AD service and CS service. I do not have the option to install an additional client on the PC like anyconnect, I need to use Windows OS supplicant without installing physcial certificates on the machine.
- Within the CS service I will generate a certificate that will be imported by ACS.
- I will activate ACS to integrate with AD
- I do not want to insall certificates on the client machines so I will use PEAP w/ MSCHAPv2
- The authenticating clients will be XP w/ SP3, I am hoping that a group policy can be created to enabed the wired service to start automatically and I will also need to add my CS/CA server as a trusted authority unless I purhcase a verisign certificate to be used. Correct? or will this need to be done when the desktop image is installed on the pc?
Additional Questions:
- With the setup I described above using MSCHAPv2 when the user boots the computer in the morning, hits ctrl+alt+delete and provides their AD credentials will this act as a single sign on? first authenticating them through 802.1x so the port is authorized and then authenticating them to the AD server? or will there be some type of pop up window that will appear before the ctrl+alt+delete window? making the user provide credentials twice (annoying)
- Once the user is autheticated can I push an ACL down to the switch to enforce a set policy? or does this happen on the router?
- Most of the documents I have read are related to L2 802.1x is there a L3 option that includes the router that I should be looking at to provide more features?
- can anyone speak to their experience with the Windows OS supplicants? is the functionality flaky/clunky or if the backend is setup properly it works seamlessly?
Sorry for the long winded post but I am kind of shooting in the dark without having the equipment to test with. Any help is appreciated!
Thanks

Thanks too you both for the responses.
I have a few followup questions which I have added inline.
Q:
- With the setup I described above using MSCHAPv2 when the user boots the computer in the morning, hits ctrl+alt+delete and provides their AD credentials will this act as a single sign on? first authenticating them through 802.1x so the port is authorized and then authenticating them to the AD server? or will there be some type of pop up window that will appear before the ctrl+alt+delete window? making the user provide credentials twice (annoying)
A: If you select "Use windows credentials" it won't prompt you for credentials. so All automatic.
However note that it will only login AFTER you entered the credentials on the logon page. So you won't have network connectivity for the initial logon, so no login scripts this way.
With your comments I am rethinking my approach, I am considering that if the company security policy will allow it I will do machine authentication only instead of user auth. Obviously this is not as secure since a rogue user could change the local admin password and have access to the network. But interms of simplicity and ease of use machine authentication provides a transparent authentication mechanism that should suffice. I would just have to sell the solution to security.
There a few things I need to understand before persuing this.
- will the machine be 802.1x authenticated and on the network before the ctrl+alt+delete? so when user logs in the machine has passed 802.1x already and has received ip from dhcp? this is my hope.
- is peap/mschap still the supported protocol so no physical cert is required per machine? no EAP-TLS
- is the machine profile on the AD server used for 802.1x verification/authentication? meaning ACS will pass off to AD to verify the machine is part of the domain? or do you have to create machine profiles in ACS?
- I have read a few articles out there about issues with machine auth with clients using XP, perhaps this was related to previous serivce packs before SP3? there was mention of registery changes required etc.
- is there a different supplicant offered by cisco that is more robust that would provide more stability or is the cisco supplicant cost money per user license or other etc.
Again your feedback is invaluable as I do not have the physical equipment to test with. Unfortunatly I have to propose a solution before actually testing something which I am not particularly fond of.
Regards,
Eric

Redirect to the jsp page after user authenticated successfully

Here is the requirement
Im using JAAS Custom Login Module for user authentication.
I have few questions in Portal Logon process
1. Exactly at what point I can conclude that the user has been authenticated successfully, because I have to redirect the user to some other page for the first time logon to enter some information, subsequent logins shouldnt be redirected. (I can update flag upon entering information).
2. Where should I add my redirection code? Is it in my JASS Custom Login Module?
If yes, how can I do that ? Im more consider on where should I add it?
3. Do I need to change my UmLogonPage.jsp to complete my requirement?
4. Once after entering the Logon information, who will call my JASS Custom Login Module for authentication? If authentication has failed who will return the control back to the umLogonPage.jsp?
5. In my JASS Custom Login Module, I have no redirections except having logic for authentication process, and some Login Exceptions are thrown for failure logins.
6. Who will catch these exceptions for failure logins to redirect back to the umLogonPage.jsp.
7. Finally I like to know where can I add my redirection logic once the user has been authenticated successfully?
8. last but not least can any of the experts explain the whole login process (using JASS module)? How the control goes from one component to another?
Any kind of help is appreciated.
Points can be awarded for useful answers.
Thanks
MMK

Thanks a lot for your valuable reply.
yes what you said was correct, storing information in R/3 System and getting the details from FM using Connector framework.
You said i have to modify "header.jsp", can you please tell which .par file should i get to modify?
one more question to you ... i have provide custom logon error messages to the user ... i did all the modification in logon.par and deployed in EP 6 .. working fine .. i can able to see "User ID Missing" , "Password Missing" etc ..
when i place same peace of code in EP 7 it always displaying "User Authentication failed". can u guess what whould be the problem?
Thanks
MMK

Anyconnect 3 NAM Profile user authentication failure

Hello,
I use Cisco Anyconnect as a supplicant for my 802.1x enabled network, we use EAP-TLS. I created a wired profile with the standalone profile manager and deployed it to my clients. Machine authentication works fine, but as soon as i log in to the device the user authentication is not working and the anyconnect falls back to an open wired network.
I don't see any logs in my ACS.
But when i create a profile on the device itself the EAP-TLS authentication works without any issues.
any ideas?
regards
alex

Hello Luke-
I have faced the same issue with MAR (Machine Access Restriction) in the past. It all worked great while we had wireless authentication only but things went out of control once we started to roll out wired
I have been working with ISE for a little bit now and I can tell you that the same issue is still present. It would be pretty nice if they can "fix" this but as of right now you would face the same exact issue. So if you want to do user+machine authentication, you have a couple of options that were recently discussed in this thread:
https://supportforums.cisco.com/message/3775027#3775027
To answer your other question:
So is there a trick to get NAM to trigger machine re-authentication without having to reboot?
Back when I had this issue I was able to "trick" the native windows client to perform machine authentication again by going to "Start Menu > Shut Down > Switch User." In the new window it is important not to click on the already logged user but to select "New/Different User." There you can still type the same credentials for the already logged user. This seemed to force the machine to pass its machine credentials again without having to reboot the machine which is till not ideal and not user friendly at all but that is all I have Also, do keep in mind that I have not tested this with the AnyConnect client so results may vary.
Thank you for rating!

802.1X wirelss restriction on user authentication

Hi,
In the 802.1x wireless environment, I would like to know is there any method to control single user credential only able to be autheticated for one time, at any given time.
Example: user ABC in domain XYZ.ORG authenticated via his/her desktop, this is using user authentication method.
After this he/she not able to use the same username/password trying to get authenticate neither using any another PC/tablet/smartphone devices.
The motive is to prevent user using same user credential able sign-in after he/she made the authenticaiton at first place.
Meaning to say he/she only able to authenticate to single device, at any given time. Same user credential is not allow to be use for authenticate purpose on other device.
The components as below:
supplicant: Window 7, authentication method using PEAP/MSCHAPv2; Apple iPhone iOS version 5.x, 6.x
Authenticator: Cisco Wireless Controller 5800 Series on code version 7.2
Authentication server: Cisco secure server ACS 5.3
Identity Source : Microsoft server 2008 ADDS, single forest single domain.
Question:
01. What we can configure on WLC, or ACS to enable above mention requirement
Thanks
Noel

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

User authentication Failed in XMII portal

Hi,
we are using XMII 12.0 version and deployed in SAP netweaver 2004s. We are frequently facing issue in XMII Menu page login and in SAP netweaver user management logins as "User authentication Failed". It is happening for all users suddenly. we are giving username and password correctly but we faced the same problems. We tried with all users then also we cant able to find the probem. Every time we needs to restart the server then it works.
What is the issue and how to resolve it?
Regards,
Senthil

Hi Senthil,
I would strongly recommend upgrading your installation. You are on 12.0.2 and the current release is 10 service packs later. You should upgrade to 12.0.12 before working on what is probably the original GA version from about 4 years ago.
Regards,
Mike

802.1x machine vs user authentication

In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.

OK, so assuming we're still talking the MSFT supplicant, you have some options:
1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).
2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.
3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.
Hope this helps.

Error in programmatic user authentication

Hi All,
I have the same problem related in this thread:
Problem in Programmatic User Authentication
Here the solution was to use OC4J 9.0.3 instead of OC4J 9.0.4
Is there another solution ?
Thanks in advance
Benito

Navid,
I was looking in the other thread and there was a problem related to validating the user, and also one concerning the dms.jar. I assume that you are referring to the former. Can you please state your current summary of the problem?
The main difference between running in Embedded OC4J and deploying to OC4J is the following: Running in Embedded OC4J you might have a different set of jar files you run against. You can check the jars used in JDeveloper 10g by choosing the menu option Tools - Embedded OC4J Preferences. Then choose Libraries (there is one Libraries entry under Global, and one under Current Worksparce). This set of libraries is probably different from the one in the EAR file.
* You could try making them the same and see if that helps.
* You could also try using the JDeveloper deploy tool to create an EAR file instead of the Ant script (if you are using Ant now).
* You can also try to deploy to the standalone OC4J that is included with JDeveloper. In the WebServices tutorial at http://www.oracle.com/technology/obe/obe9051jdev/WebServicesOBE/OBEWebServices.htm it is described how to do that. If this works, there is a difference in the way OC4J 9.0.4 is installed or configured (or the patch level).
Besides trying to solve the differences between Embedded OC4J and standalone OC4J, I would like to point out the following: I noticed that bug 3412804, which could well be the one you are running into, is fixed in a patch set for OC4J 9.0.4, but is not fixed yet in OC4 10.1.2 (see backport bug 4135710). Did you test with OC4J 9.0.4 after applying the patch for bug 3412804? See MetaLink for more information (http://metalink.oracle.com).
hope this helps,
Sandra Muller
JHeadstart Team
Oracle Consulting

User Authentication possible???

Greetings all.
I'm working on a contract where the client is taking a first step at SOA, mainly for
automating now manual processes. Part of the requirement is to implement a user interface to
input/view data. The user interface is to be a web-app and any new business logic is to be
done using JEE/Java web services. CAC's (Common Access Cards) (PKI certificates) are to be
used for user authentication along with SSL.
The problem is that while the client has stated that the user
interface is to be made available as a thin-client (web browser), they have also stated that
the server is NOT to be certifcate enabled, only the application.
Is this even possible?
This client is extremely fustrating as they have tasked many of there own people with JEE
design and project management, yet not a single one of them has ever done any JEE
developement, and very little, if any, other programming, and are very lacking in the
area of project management and meeting organization.
If it is possible, I suspect it would either be a huge amount of work, or require purchasing
a third party product, which again, is something they have said they do not want to get
locked into.
Any thoughts.
-Ed.
To clarify, the question is, is it possible to do 2-way mutual client-cert authentication without having to configure it at the server?
Edited by: Ed_Ward on Nov 12, 2009 3:20 PM

I have seen a couple solutions to the problem that you are facing. I unfortunately have seen situations such as yours more than once.
In the passed I usually simply tell them that they are incorrect in their requirments the server will be certificate enabled as "they know" this is the normal scenario. This strategy is usually "employment limiting". But i like it.
If you are useing SSL then it is likely that personal information or personally identifiable information is being transfered. Many areas have laws about this with a little research you could make the case they must allow certificates on the server for legal compliance. (which may actually be true)
If the server is not to be certificate enabled then perhaps enable certificates on another server.
I have seen authentication done for applications deployed on glassfish in which the user had a user name, password and a dongle (which contained a client cert) that plugged into the USB port. In this case they where using OpenSSO. Plug-in and features and profiles in open sso handled all the login issues
You could try mutual-authentication at a reverse proxy server in front of the application. ie set-up apache with a mutual auth ssl virtual host which passes through to the application with mod_jk. just keep the application server well fire-walled.
Unfortunately most cases like this that I have been in are projects designed to fail. Which in my opinion is also a legal issue. Either way I would like to hear how things turn out.

User Authentication for subfolder not working in Web Browser

We are using Oracle Application Server 10.1.2.3 and Database Server 10.2.0.5 for our application.
One of the functionalities of the Application is to send emails with attachments.
The logic is that the Application would generate the attachment file on the Application Server.
Then a database package uses Oracle's utl_http package/procedures(more specifically utl_http.request_pieces where the single argument is a URL) to pick up the file from the Application Server via URL, attach the file and send the email.
Exchange and Relay Server is also set in the Application.
The problem is that the folder containing the folder which stores the attachments is having user authentication set.
Example : The main folder is /apps/interface, this folder requires a valid user when it is accessed via URL on a web browser.
Alias created in httpd.conf
Alias /int-dir/ "/apps/interface/"
The folder /apps/interface/email/ is the folder where the attachment files are generated and stored.
Application Server : 10.12.213.21
Database Server : 10.12.213.22
Email Server : 10.12.213.44
Configuration as per httpd.conf
Alias /int-dir/ "/apps/interface/"
<Location /int-dir/>
AuthName "Interface folder"
AuthType Basic
AuthUserFile "/u01/app/oracle/as10g/oasmid/Apache/Apache/conf/.htpasswd"
require user scott
</Location>
<Location /int-dir/email>
Options Indexes Multiviews IncludesNoExec
     Order deny,allow
     Deny from all
     Allow from 10.12.213.21
     Allow from 10.12.213.22
     Allow from 10.12.213.44
</Location>
Using the above configuration the Application is able to attach the files and send the email, however, when we access the following URL :
http://10.12.213.21:7778/int-dir/ - it prompts for user authentication
However if we use the following URL :
http://10.12.213.21:7778/int-dir/email/ - it does not prompt for user authentication, and all the files in the folder are displayed in the browser.
I have tried so many things including AllowOverride, .htaccess, but i am not able to get user authentication for the email folder.
Please help me if you can.
Thanking you in advance,
GLad to give any more information that i can.
dxbrocky

Thanks for your response. I fixed the problem by selecting "full site" or "full website" at bottom of the web page. After making this selection the zoom function returned. Thanks again for your interest.

User Authentication failed

Hi all,
I like to share one of my peculiar issue with you and like to get a solution as well.
I am trying to install a portal server with r3load based method. I did a java export of mssql Portal server and suceefully imported in the newly installed server.The server is up and running.I also completed the post installation activites like SLD ,SSO and Jco creation. I am not able to log in to the java page using administrator user and also other users..It keep on saying that user authentication is failed.
But the beauty is that using the same adminsitrator user i am logging in the visaul administrator .
I dont know where the problem and also i verified the log files under cluset/server nodes. There i found the log as follows --- > Connection is already closed and no longer associated with a managed connection,,
I dont know where i am missing. Due to this I reinstalled the server and imported again..But the same problem is existing to me. Anyone have suggestion on this please do reply.
Thanks and Regards
Vijay

Hi,
Thnaks for reply. Its only a java system ,, So no activity needs to be done in SU01. I checked the table in database..the users are exisitng as well in the table.
FYI: I am able to log in visaul admin but not in the java pages like
http://<hostname>:port/
http://<hostname>:port/irj
Hope i explained my problem it in right way
Regards
Vijay

Email Receiver Dynamic User Authentication, is it possible?

Hello Experts,
I have a scenario SAP ECC->SAP PI->Gmail Mail Server, now the interface is working fine, the thing is that I want to configure the user Authentication in a dynamic way, I tried to doit in a UDF in the Message Mapping, using the dynamic values for:
TServerLocation
TAuthKey
fields, but is not working, am I using the correct header fields?, or is there another way to change this parameters?, thanks in advance for your answers.
Regards,
Julio Cesar

Hello Gopal,
Im using Plain, it works fine if I fill up the fields for User and Password in the comm channel, but if I try using the fields in a Dynamic way is not working, thanks for your answer.
Regards,
Julio

Use Microsoft Online Directory Services as a user authentication provider for our own SharePoint farm?

Hi,
I've managed to configure my farm so that Microsoft Online Directory Services (Office 365 etc.) can be used for STS authentication, but what I'm actually trying to do is allow user authentication - that is, I'm hoping to be able to use the user's
O365 credentials to authenticate them in my own farm so they can view certain parts of it. If I need to write my own login form or authentication provider or whatever that's fine, as long as the user doesn't need to enter anything when they access my farm
(provided they already have cached O365 credentials in their browser session).
FWIW I actually need to be able to support the possibility that users are coming from multiple O365 tenancies, whereby each site collection will be configured to allow users from a different O365 tenancy (more or less).
If it's not possible to do with my own development farm on a PC, it is possible if the farm is hosted in Azure?
Thanks
Dylan

Hi Dylan,
According to your description, my understanding is that you want to use Microsoft Online Directory Services as a user authentication provider for your SharePoint farm.
For your demand, you can configure a hybrid topology for your SharePoint farm:
http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx
http://technet.microsoft.com/en-us/library/dn197168(v=office.15).aspx
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
contact [email protected]
Eric Tao
TechNet Community Support

User authentication in a transparent deployment

Similar Messages

Maybe you are looking for