User Authentication possible???

Similar Messages

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful

• Email Receiver Dynamic User Authentication, is it possible?

  Hello Experts,
  I have a scenario SAP ECC->SAP PI->Gmail Mail Server, now the interface is working fine, the thing is that I want to configure the user Authentication in a dynamic way, I tried to doit in a UDF in the Message Mapping, using the dynamic values for:
  TServerLocation
  TAuthKey
  fields, but is not working, am I using the correct header fields?, or is there another way to change this parameters?, thanks in advance for your answers.
  Regards,
  Julio Cesar

  Hello Gopal,
  Im using Plain, it works fine if I fill up the fields for User and Password in the comm channel, but if I try using the fields in a Dynamic way is not working, thanks for your answer.
  Regards,
  Julio

• Use Microsoft Online Directory Services as a user authentication provider for our own SharePoint farm?

  Hi,
  I've managed to configure my farm so that  Microsoft Online Directory Services (Office 365 etc.) can be used for STS authentication, but what I'm actually trying to do is allow user authentication - that is, I'm hoping to be able to use the user's
  O365 credentials to authenticate them in my own farm so they can view certain parts of it. If I need to write my own login form or authentication provider or whatever that's fine, as long as the user doesn't need to enter anything when they access my farm
  (provided they already have cached O365 credentials in their browser session).
  FWIW I actually need to be able to support the possibility that users are coming from multiple O365 tenancies, whereby each site collection will be configured to allow users from a different O365 tenancy (more or less).
  If it's not possible to do with my own development farm on a PC, it is possible if the farm is hosted in Azure?
  Thanks
  Dylan

  Hi  Dylan,
  According to your description, my understanding is that you want to use Microsoft Online Directory Services as a user authentication provider for your SharePoint farm.
  For your demand, you can configure a hybrid topology for your SharePoint farm:
  http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx
  http://technet.microsoft.com/en-us/library/dn197168(v=office.15).aspx
  Thanks,
  Eric
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
  contact [email protected]
  Eric Tao
  TechNet Community Support

• End-to-End user authentication with XI

  Dear community,
  we sit in a situation where the customer wants to have an end-to-end-authentication throughout an integration process.
  The setup is as follows: a dialog-user in a legacy system uses an application that triggers an integration process through XI into SAP ERP. The dialog-user in the legacy system must be used for authentication in XI as well as SAP ERP.
  To avoid having to re-create all users in XI and SAP ERP, ideally an LDAP instance would be used for authentication.
  Based on my knowledge, the above scenario is not possible with XI and there is a 2 year old thread discussing the same without any positive outcome:
  XI and user authentication VS R/3 systems
  Nevertheless I consider this requirement as a pretty standard one. Has there been any development in this area - or how have similar customer requirements been met ?
  Thanks a lot in advance !
  Jochen

  Hi Jochen,
  i've heard rumours saying that credential forwarding will be incorporated in the next XI release as it is a rather frequent requirement by customers and will make live much easier.
  Maybe you can get a statement through your clients SAP account representative on the release date and the planned feature.
  Regards
  Christine

• Using Proxy User Authentication in Sql Developer

  Hi!
  Is it possible to use proxy user authentication in SQL Developer? I'm thinking that if I'm clever enough, I can craft a custom jdbc URL that will allow my users to proxy authenticate into my Oracle 10gR2 database while using SQL Developer.
  Unfortunately, I'm not feeling all that clever. ;)
  Can anybody help me out here? Is it even in the realm of possibility?
  Thanks!
  Kevin Ferlazzo
  DBA
  VA Department of Juvenile Justice

  I found the possibility that proxy authentication of both accounts can be enforced:
  SQL> alter user appuser grant connect through personaluser AUTHENTICATION REQUIRED;
  I guess that this is the motivation for implementing the 2-session proxy connection method in SQL Developer.
  Regards,
  Martin

• Proxy User Authentication with SQL Developer

  Hello,
  I realized that there are 2 methods for configuring SQL Developer to user Proxy User Authentication.
  1) one-session method with Syntax:
  personaluser[appuser]
  2) two session-method with dialog "Proxy Connection"
  For me it is unclear, why anybody would want to use the two-session-method.
  a. you need username/password for both user acocunts (personaluser and appuser)
  b. it is unclear which operations in SQL Developer are using the personaluser account. It seems that the SQL Window is only using appuser account.
  What was the motivation to implement Two Session Method?
  Best regards,
  Martin

  I found the possibility that proxy authentication of both accounts can be enforced:
  SQL> alter user appuser grant connect through personaluser AUTHENTICATION REQUIRED;
  I guess that this is the motivation for implementing the 2-session proxy connection method in SQL Developer.
  Regards,
  Martin

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• User authentication for webservices

  Hi,
  I am using Oracle R12.
  I want to know how oracle handles user authentication when calling custom APIs through Integrated SOA Gateway.
  I know that we are using security headers to do this.  The header part is given below.
     <soapenv:Header>
       <xx:SOAHeader>
          <xx:Responsibility>INVENTORY_VISION_OPERATIONS</xx:Responsibility>
          <xx:RespApplication>INV</xx:RespApplication>
          <xx:SecurityGroup>STANDARD</xx:SecurityGroup>
          <xx:NLSLanguage>AMERICAN</xx:NLSLanguage>
          <xx:Org_Id>204</xx:Org_Id>
       </xx:SOAHeader>
       <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsse:UsernameToken wsu:Id="UsernameToken-1">
             <wsse:Username>uname</wsse:Username>
             <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
             <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">rerr6et6eHFV</wsse:Nonce>
             <wsu:Created>2013-02-13T08:58:50.649Z</wsu:Created>
          </wsse:UsernameToken>
       </wsse:Security>
    </soapenv:Header>
  But when a person is simply logging in to the application how can we choose a responsibility without know what responsibilities a person has?
  The  <xx:SOAHeader></xx:SOAHeader> is not mandatory. So can i simply not pass this header? Or is there a default responsibility that can be specified for all users?
  Also in what scenarios is the <wsse:Security> header not required? I recently checked and found that even without providing the Security header, it is possible to execute service in ISG. Hence the question.
  Thanks,
  Anoop

  Hi,
  Ok, so you want to know for an user , what responsibility you should use in order to be able to perform the invocation?
  Here is an example for Sysadmin user
  Select usr.user_name,usr.user_id, resp.RESPONSIBILITY_NAME ,
  resp.RESPONSIBILITY_KEY, grp.SECURITY_GROUP_KEY, grp.SECURITY_GROUP_ID,
  APP.APPLICATION_SHORT_NAME ,APP.APPLICATION_ID
  From FND_USER_RESP_GROUPS furg, FND_USER usr, fnd_responsibility_vl
  resp,FND_SECURITY_GROUPS grp,FND_APPLICATION APP
  where furg.user_id=usr.user_id
  and furg.RESPONSIBILITY_ID=resp.RESPONSIBILITY_ID
  and furg.SECURITY_GROUP_ID=grp.SECURITY_GROUP_ID
  and furg.RESPONSIBILITY_APPLICATION_ID=APP.APPLICATION_ID
  and usr.user_name='SYSADMIN'
  regards
  Mihai

• Programmatic User Authentication in JHS 10.1.3

  Dear JHeadstart Team,
  I want to implement such functionality that was in the JHeadstart 9.05 called "Programmatic User Authentication".
  I have implemented the authentication and role based security using JHeadstart 10.1.3 (using custom security) but I just used some predefined roles like the ones used in chapter 5 of JHeadstart Developer's Guide.
  Is it possible to have a completely dynamic user management which show/hide tabs based on information in the tables (like the ones used in the old JHeadstart with use of groups and RoleGroups and Roles tables)? If so, How can I implement that?
  Any help would be highly appreciated.
  Thanks in advance,
  Navid

  Navid,
  Yes, this is possible. JHeadstart simply calls the hasAccess method on the JhsUser interface. So, rather than passing in a role name, you can also pass in a group name, your implementation of the JhsUser interface should then pick up the group name and perform a qeury that looks up the roles that provide access to this group, and then check whether the current user is in one iof these roles. This is the same mechanism as we had in 10.1.2 JHeadstart Demo.
  Steven Davelaar,
  JHeadstart Team.

• Trusted User Authentication

  Hi,
  Our solution currently offers three SSID's.  One corporate SSID for trusted users (employees) with trusted (company managed) devices, one guest SSID for external guests who are not trusted and use non-trusted devices and then a third "guest" SSID that allows trusted users (employees) to connect using untrusted (personal) devices to access the Internet via a separate proxy system.  The guest SSID for trusted users is the focus of this question.
  We currently use a local RADIUS database on ACS 5.2 for the users, which works but requires another user account and obvious password management overhead.  Given that a global employee directory exists which has its own account & password management system in place has made me consider this as an alternative to local authentication on ACS.
  The external identity store is an LDAP database and I have configured network access for the ACS to query the schema.
  I understand that web authentication can use LDAP as an authentication mechanism, however I would like to keep the SSID as secured using 802.1x if possible and not use an open or PSK secured solution as this would contravene current security standards.
  So, can I configure the WLC to send an authentication request to the ACS via RADIUS over 802.1x and then for the ACS to forward that request on to an external identity store using LDAPS?
  I am currently reveiwing the configuration document and believe I have each individual component in ACS configured but cannot see the LDAPS traffic ever leaving it to query the external identity store.
  Any thoughts or comments would be appreciated....
  Thanks,
  Dave

  Hi Dave,
  That is surely possible and that is what LDAP identity store is fore.
  You create the LDAP identity store and point the WLCs to use the ACS (not the LDAP server).
  Now, when a wifi client tries to connect the WLC sends the request to the ACS.
  At this point the request reached ACS. So, in order to proceed with quering the LDAP server for that user, you need to tell the ACS for this user that is connecting to this SSID please send the query to the LDAP server and trust what it tells you about the user authentication status.
  Have you configured this piece of configuraiotn on ACS? to send the traffic to the LDAP DB?
  In the Access policy you need to choose the configured LDAP identity store. Have you done that?
  If you still have problems please try to provide screenshots of you config.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• 802.1x machine vs user authentication

  In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.

  OK, so assuming we're still talking the MSFT supplicant, you have some options:
  1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).
  2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.
  3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.
  Hope this helps.

• UME Create user not  possible

  Portal 7.0 sp10 2004s
  ECC 6.0 sp 10  ERP 2005
  Portal is connected to ABAP backend for user authenticity,
  Data source configuration file is dataSourceConfiguration_abap.xml which should allow users created in the portal to be in the UME database only.
  Problem, When creating users on the Portal they are automatically being created with a datasource of ABAP and are created in the ECC abap backend.
  I have tried creating the users using the Visual Admin tool and it also created the users in the ECC abap backend
  I have in the past been able to create users in the UME only in fact I could not create Backend ABAP users from the POrtal
  Any help would be appreciated.
  Thanks
  sarah

  Haydn
  Thanks for your suggestion, I am still having problems
  I changed the SAPJSF user that communicates from the portal to the abap backend to read only. I got an error, it is still trying to create an ABAP backend user
  An error occurred in the persistence. The original message (possibly not translated) was: "BAPI_USER_CREATE1@RS2CLNT100: ID=01, NUMBER=491, MESSAGE=You are not authorized to create users in group". Contact your system administrator
  From the SAP Note 718383 it states the following:
  Supported changes to the data source configuration
  The allowed change options depend on the currently active data source configuration. You can determine the current data source configuration with the J2EE ConfigTool.
  In "cluster-data -> Global server configuration -> services -> com.sap.security.core.ume.service" check the property "ume.persistence.data_source_configuration".
  Depending on the data source configuration file you use, the following changes are possible:
  dataSourceConfiguration_abap.xml
  No change is possible.
  This configuration supports all usages (especially SAP Exchange Infrastructure and SAP Enterprise Portal) by making ABAP users and ABAP roles available as users and groups in the UME, and supports the creation of new groups in the UME (which are then stored in the local database) as well.
  Any other suggestions would be appreciated,
  Thanks
  Sarah

• MSAD upgrade to 2008 R2 - user authentication - HFM FDM 9.3 DM 11.1

  Looking to see if planned MSAD upgrade from 2003 to 2008 R2 will require any HFM, FDM or Disclosure Management administration to avoid possible user authentication errors? I understand they are compatible, but that doesn't necessarily mean connections will be uninterrupted. Anyone been there?

  What was the error in the schema update utility?
  The schema update log would be in the outbox\logs directory of the FDM application that is being upgraded.