Using NTLM authentication

Similar Messages

• Issue using Flash IDE with Mac OS and Windows Web Service using NTLM authentication?

  I have an existing application that I developed on a Windows machine using CS5.  It uses a local intranet web service written in .NET using NTLM authentication.  The web service does multiple things such as read data from an SQL database, provide the user's username, and test for write/read access to a local company fileshare.  When my company upgraded, I went to a Mac with Flash CC which is great.  However, Mac's don't handle HTTP Authorization Challenge Blocks like Windows machines.  In Safari, Chrome, etc. it will pop up a little username and password box and proceed on without issue.  The issue is in Flash development.  When running the exact same application in Flash testing all script access fails with HTTP Status 401 errors.  I have searched the AS3 documentation, but the only thing built in to handle http challenge requests is in AIR not Flash.  The server admin's and I have tried all method's of cross domain policy files and access changes with no luck at all.  Does anyone have a solution to this issue?

  Did you check Apple Support Boot Camp article?
  iMac displays a black screen during installation of Windows 7
  http://www.apple.com/support/bootcamp/
  Installation Guide
  Instructions for all features and settings.
  Boot Camp FAQGet answers to commonly asked Boot Camp questions.
  Windows 7 FAQAnswers to commonly asked Windows 7 questions.

• Using NTLM authentication on an internal ITS?

  Calling all mighty experts!
  After moving the ITS from an IIS to a WAS it is no longer possible to use the build-in ~HTTP_REMOTE_USER parameter that contains the windows user logon. This logon is obtained using NTLM which is an integrated part of the IIS.
  Does any knows how to obtain the users windows logon when they request an internal ITS internet service? Either by NTLM or by any other means? It can be assumed that the user is using Internet Explorer.
  Any help is greately appreciated!
  BR
  Jesper

  Hi Jesper,
  the ~HTTP_REMOTE_USER was set by the NTLM PAS module. PAS is an proprietary addon for ITS 6.20 provided by SAP to allow external authentication via PAS modules. With Netweaver 2004 the integrated ITS no longer has anything to do with authentication. This is done by the webAS. WebAs does not support PAS but provide a similar technique call JAAS (Java Authentication and Authorization Service) which other than SAP PAS is a industrial standard. SAP Note 858138 points to SAP documentation, Teched Sessions and e-learning. I would suggest that you use this note as a starting point. I assume there is a NTLM JAAS module available but have no further information about it. Maybe this module passes the user ID to the called service.
  Best regards,
  Klaus

• InfoPath form failed to use NTLM authentication to load data - Invalid authorization specification

  I knew this might be discussed in other places but I've searched over the web but still do not have a clue how to fix my issue.
  I am using SharePoint 2010 and I created an InfoPath form that reads data from a database using data connection file (udcx). As explained in many other articles, I've set up my secure store correctly and created an application called 'InvestmentOperationAccess'
  with a windows service account and then export the udcx file and enabled the <udc:Authentication> tag  as flowing:
  <udc:Authentication><udc:SSO AppId='InvestmentOperationAccess' CredentialType='NTLM' /></udc:Authentication>
  Then I upload this file back to the data connection library and approved. But when I try to load the form in web broswer, I received the following error:
  05/15/2013 14:40:15.09 w3wp.exe (0x0C94) 0x263C InfoPath Forms Services Runtime - Data Connections eq8l Warning The following query failed: EntityMatrixView (User:
  xxxxx\xxx, Form Name: Template, IP: , Connection Target: , Request:xxxxxxxxx(URL of the list) Form ID: urn:schemas-microsoft-com:office:infopath:list:-AutoGen-2013-05-14T23:32:41:604Z
  Type: DataAdapterException, Exception Message: The form cannot connect to the data source. Invalid authorization specification
  In the meantime, I used SQL profile try to capture the credential it is used by nothing was passed to that SQL box.
  Then I created another application in my secure store with SQL login account and modify my udcx file to be 
  <udc:Authentication><udc:SSO AppId='InvestmentOperationSQLAccess' CredentialType='SQL' /></udc:Authentication>
  This time when I load the form, everything worked and in SQL profile I can see it is reading data using the SQL account I specified in secure store.
  In a nutshell, it is working with SQL authentication type but not NTLM, anyone could help me with that?

  Same problem here. Anyone has a solution for that?
  It seems one cannot use windows accounts with secure store and database access for info path data sources ...

• NTLM authentication fails to connect using webdav on osX

  We are having problems in our organization getting our macs connected via webdav using NTLM authentication.
  Our structure is as follows:
  Netapp/IBM nSeries gateway/filer model n6040 which is our FTP/CIFS/Webdav host.
  Windows Server 2008 R2 Domain Controller with Active Directory
  Windows 7, Mac osX clients (various versions).
  From the windows side, we are able to connect to our filer via FTP, CIFS, and http/Webdav after we authenticate using our AD credentials.  From the Mac side, we can authenticate and connect to our filer using FTP, CIFS (using Connect to Server "smb://ourfiler.com") and through a browser using the address of http://ourfiler.com.  This type of connection using webdav works with Firefox but not using Safari or Chrome but isn't adequate enough for our users since the browser based connection is read only.  However, when we try to Connect to Server via webdav using our server address of http://ourfiler.com:80, we never get past the "Enter your name and password for the server "ourfiler.com." 
  We tried a third party webdav client on our macs: Cyberduck, which also fails to connect using webdav.   We also tried a separate linux client and were able to connect without any problems.
  Since authetication for webdav works on windows and linux, we're thinking there is problem with osX itself.  Has anyone else had this problem or can anyone suggest any workarounds/solutions?

  Sorry for the late replies gentleman... for some reason I didn't get email alerts when you guys posted....
  Anyways, yes the DC is on a different subnet and no we don't have WINS.  The way I understand it is the client will contact the master browser in it's local subnet... all the master browsers in all other subnets contacts the Domain master browser ...
  and they share the server list this way... I mean it's a little more complicated than that....well to me at least...
  Can you try resolving the short name with the domain controller being on another subnet and you having a different master browser in your client subnet?
  What is the process the client goes thru when looking up Domain netbios name?  LIke for DNS, it's straight forward... the client looks at DNS server, then for the SRV records for the Site the client is in and get's domain controller.......   How
  does this work for netbios domain name?  There is NO WINS in the environment.
  Chau

• Event ID 6038 LsaSrv NTLM authentication warning

  Searching the internets we haven't found any other references to this particular Event ID Warning message. 
  It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:
   Windows Server 2008, but out Child Domain is at Domain Functional Level:
   Windows Server 2012 (3 Domain Controllers in our Child Domain). 
  Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page. 
  The full Event ID is pasted in below.
  We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos. 
  How are these tasks accomplished on Windows Server 2012 Domain Controllers? 
  Thanks in advance for any help! 
  Log Name:      System
  Source:        LsaSrv
  Date:         
  12/27/2012 6:00:01 PM
  Event ID:      6038
  Task Category: None
  Level:        
  Warning
  Keywords:      Classic
  User:         
  N/A
  Computer:      <server
  FQDN>
  Description:
  Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
  NTLM is a weaker authentication mechanism. Please check: 
        Which applications are using NTLM authentication?
        Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
        If NTLM must be supported, is Extended Protection configured? 
  Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

  Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.
  I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers. 
  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM. 
  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 
  Auditing and restricting NTLM usage guide
  http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx
  Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
  This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating
  systems.
  With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both
  the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively
  restrict NTLM traffic.
  This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

• NTLM Authentication in the Outlook Anywhere

  I use Exchange Server 2007 sp1 RollUp 6 installed on Windows Server 2008. I need to use Outlook Anywhere from non-domain computers. I test Outlook Anywhere with Basic and NTLM Authentication and all works fine. But when I use NTLM authentucation, Outlook promt user credential every time when it start, even "remember password" was checked. The login and password are remembered in the network password of user, but Outlook prompt password again and again, when it starts. Exchange published by 443 port directly (without any listeners)!
  When I connect by VPN, and use TCP/IP connection to the server, Outlook remeber password withoun any problems, and did not ask password again.
  get-OutlookAnywhere:
  ServerName                 : SRVEXCH2
  SSLOffloading              : False
  ExternalHostname           : mail.my_domain.ru
  ClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods   : {Ntlm}
  MetabasePath               : IIS://srvexch2.net.local/W3SVC/1/ROOT/Rpc
  Path                       : C:\Windows\System32\RpcProxy
  Server                     : SRVEXCH2
  AdminDisplayName           :
  ExchangeVersion            : 0.1 (8.0.535.0)
  Name                       : srvexch2
  DistinguishedName          : CN=srvexch2,CN=HTTP,CN=Protocols,CN=SRVEXCH2,CN=Servers,CN=Exchange Administrative Group (
                               FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=S
                               ervices,CN=Configuration,DC=net,DC=local
  Identity                   : SRVEXCH2\srvexch2
  Guid                       : 2c24f11b-852c-4948-b236-3f37d071d500
  ObjectCategory             : net.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                : 18.02.2009 14:17:55
  WhenCreated                : 17.02.2009 14:53:36
  OriginatingServer          : dc1.net.local
  IsValid                    : True
  I have tried this cases, but they have not helped for this issue:
  1) Disable kernel mode authentication with this command: %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false, I  also have unchecked Kernel mode authentication in the properties of Windows Authentication for Default Web site, \Rpc and \Autodiscovery virtual directories.
  2) Modify this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa lmcompatibilitylevel=3 and 2.
  3) Set NTLM instead of Kerberos on the security tab in the properties of Outlook.
  4) Install domain controller and global catalog roles on the Exchange Server.
  Somebody have any solution for this issue? May be Outlook Anywhere and NTLM do not work at all?

  Have you also seen this:
  You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature
  http://support.microsoft.com/kb/820281
  1.
  Click
  Start,
  click Run,
  type regedit in the Open
  box, and then press ENTER.
  2.
  Locate
  and then click the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
  3.
  In
  the right pane, double-click lmcompatibilitylevel.
  4.
  In
  the Value data
  box, type a value of 2 or 3 that is appropriate for your environment, and
  then click OK.
  5.
  Quit
  Registry Editor.
  6.
  Restart
  your computer.
  LmCompatibilityLevel
  settings
  The
  LmCompatibilityLevel registry entry can be configured with the following
  values:
  LmCompatibilityLevel
  value of 0:
  Send LAN Manager (LM) response and NTLM response; never use NTLM version 2
  (NTLMv2) session security. Clients use LM and NTLM authentication, and
  never use NTLMv2 session security; domain controllers accept LM, NTLM, and
  NTLMv2 authentication.
  LmCompatibilityLevel
  value of 1:
  Use NTLMv2 session security, if negotiated. Clients use LM and NTLM
  authentication, and use NTLMv2 session security if the server supports it;
  domain controllers accept LM, NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 2:
  Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2
  session security if the server supports it; domain controllers accept LM,
  NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 3:
  Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2
  session security if the server supports it; domain controllers accept LM,
  NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 4:
  (Server Only) - Domain controllers refuse LM responses. Clients use NTLM
  authentication, and use NTLMv2 session security if the server supports it;
  domain controllers refuse LM authentication, and accept NTLM and NTLMv2
  authentication.
  LmCompatibilityLevel
  value of 5:
  (Server Only) - Domain controllers refuse LM and NTLM responses, and accept
  only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2
  session security if the server supports it; domain controllers refuse NTLM
  and LM authentication, and accept only NTLMv2 authentication.
  Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

• Oracle Single Sign-On: Use NTLM inside LAN

  hi,
  i want to configure oracle single sign-on to use NTLM authentication when accessing a protected resource from the LAN (specific IP-range). when a user is accessing a protected resource from the internet it should still show up the login-page.
  how can i achieve that?
  regards,
  matthias

  Hi Darsh,
  1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
  2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
  3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
  4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
  5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
  HTH.
  Ghassan

• Deep Linking and NTLM Authentication

  I have an app that uses NTLM Authentication. When I try to pass a parameter from a link in an email, the deep link page opens but the parameter doesn't get set. When i change the Authentication to 'Application Express', the parameter gets set. Is there a work-around for this?

  Scott,
  Thanks for your reply.
  You can see the app here;
  http://apex.oracle.com/pls/otn/f?p=48061
  Username = dev
  PSW = dev
  I want to bring up a specific employee from an email link like this;
  http://apex.oracle.com/pls/otn/f?p=48061:4:::::P4_EMPNO:7839
  The deep link and parameters work fine when I use 'Application Express' authentication.
  When I use NTLM authentication, P4_EMPNO never gets set.
  To see the code go into;
  workspace = danmar
  Username = dev
  PSW = dev
  Thanks for your help.
  Bob

• Setting up NTLM authentication

  Hi,
  I have a j2ee component deployed, I want to use NTLM authentication for logon,
  can some one explain how to Configure NTLM and use it.
  Regards
  Abhijith YS

  Hi
  It Requires some NTLM Proxy modules which contains iisproxy.xml and other files which sap is no longer providing, so I dont think this method can be used.
  Regards
  Abhijith YS

• Prerequisites for Using Windows NTLM Authentication

  Hi,
  One of the prerequisites for using Windows NTLM Authentication, mentioned on help.sap.com documentation, is:
  - The user’s Web browser must be a Microsoft Internet Explorer
  This means that users not using Internet Explorer can’t authenticate using other web browser (Firefox and Netscape).
  In PAM, SAP says that web browser based on mozzila 1.7.x is also supported, and from this version on, Firefox and Netscape, both, support NTLM.
  NTLM Authentication in portal, still be supported with IE web browser?
  Thanks and Regards,
  Paul

  Hi Paul,
  I suspect that although it may not be officially supported, it will work.  The main thing is that a frontend web server perform the NTLM authentication and pass the header variable back to the J2EE engine.  By the time the header gets back to the J2EE engine, I dont think the portal has any idea how the header REMOTE_USER was generated, just that it was.
  Not positive though, as I havent tested the scenario you describe below..just thought I'd throw in my two cents.
  Marty

• Public-facing on-premises SharePoint with NTLM authentication

  I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
  Assume I set up a web application with Classic NTLM authentication. On that web application I enable
  Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
  published content only i.e. content which is permitted to anonymous users.
  My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
  Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?

  There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
  I would have a dedicated DC to manage service accounts.
  I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
  proxy/firewall -- SP Server -- Firewall -- SQL/DC
  For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
  Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
  While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
  Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
  With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
  You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
  authentication for your internal users before they can even reach the internal SharePoint pages.
  I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
  publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.

• Invoking a Web Service that Requests NTLM Authentication in BPEL Process

  Hi,
  I am trying to invoke a webservice which requires NTLM Authentication.able to test the service through SOAP ui .
  Followed the steps memntioned in the oracle doc in order to invoke the same service through BPEL Process, some how I am facing issue when BPEL invokes the service. Here is the error message
  oracle.fabric.common.FabricException: oracle.fabric.common.FabricException: Error in getting XML input stream: Response: '401: Unauthorized' for url:
  Oracle doc link  :-
  http://docs.oracle.com/cd/E28280_01/admin.1111/e10226/soacompapp_secure.htm#BABJEBIF
  http://www.albinsblog.com/2014/04/oraclewebservicespreemptivebasicauth.html#.VK5UEiuUeFM
  The above link discuss about the properties that need to be set in composite.xml file in order to invoke the service.
  I am using SOA 11.1.1.6,  tried to implement the same steps but i could see the error message "Unauthorized for url ********** "
  Could you please help me on this.
  Thanks

  Hi Guys ,
  Got to kow that this is a bug. Some how following link helps in sending the payload to webservice which requires NTLM authentication thru JAVA.
  Thoughts Oracle SOA OSB: NTML Authentication - Oracle SOA suite
  Thanks

• Windows NTLM Authentication on SAP 4.6c (Platform AIX)

  I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.
  My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)
  I need to implement single sign on for SAP integrated application.
  As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory  id as external id in connection string. All transaction should run with external user id context.
  Can someone help me with following question.
  1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?
  2. What SNC library needed for SAP (AIX instance)?
  3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.
  What option do I have to get Single Sign On working?
  Any help is highly appreciated.
  Regards and Thank you in advance.

  > Hi Reiner,
  > Thank you very much for response, this is helpful
  > information.
  If you consider an answer as helpfull, please mark it with the button on the left side :-).
  > My options are pretty much limited,
  > I can't use NTLM since, AIX will not accept trust
  > -- NTLM Auth will not work with AIX
  > -- Kerberos auth have to have third party tool like
  > CyberSafe for SNC trust relationship.
  As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.
  > I planning to try using SSO as mentioned in "Enabling
  > Single Sign-On for ASP.NET Applications in Enterprise
  > Portal 6"
  > Is this approach works with EP 5.0?
  This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.
  > If any one has "sapsecu.dll" please send me at
  > [email protected] with same size as stated in
  > this document.
  This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.
  > My SSO ticket did not get created after following
  > steps in document, I am suspecting either sapsecu.dll
  > or veryfy.pse is wrong?
  Did you find a MYSAPSSO2 cookie in the request?

• Ntlm authenticated apps fails after 3.1.1 upgrade

  I upgraded my apex instance to 3.1.1 on Friday without any issues. I can log into application builder without any problems and the version 3.1.1.00.09.
  Everything in app builder works as expected. However, when I try to run my NTLM authenticated application, I get errors and the page fails to load.
  Furthermore, this only happens on my 11g database.
  The exact same app, using the same NTLM authentication works just fine on 10g.
  The Apache errors log states:
  mod_plsql: /pls/apex/f HTTP-404 ORA-03113: end-of-file on communication channel\n
  mod_plsql: Unable to reset state for mode 0: Err 3114 url=>/pls/apex/f           I have PlsqlErrorStyle          DebugStyle set, so the page returns a fair amount of data.
  Wed, 28 May 2008 14:07:17 GMT
  ORA-03113: end-of-file on communication channel
    DAD name: apex
    PROCEDURE  : f
    URL        : http://ecydblcyorwqt03.ecy.wa.lcl:80/pls/apex/f?p=127:51:339228564056494:::::
    PARAMETERS :
    ===========
    p:
     127:51:339228564056494:::::
    ENVIRONMENT:
    ============
      PLSQL_GATEWAY=WebDb
      GATEWAY_IVERSION=2
      SERVER_SOFTWARE=Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
      GATEWAY_INTERFACE=CGI/1.1
      SERVER_PORT=80
      SERVER_NAME=ecydblcyorwqt03.ecy.wa.lcl
      REQUEST_METHOD=GET
      QUERY_STRING=p=127:51:339228564056494:::::
      PATH_INFO=/f
      SCRIPT_NAME=/pls/apex
      REMOTE_HOST=
      REMOTE_ADDR=165.151.57.100
      SERVER_PROTOCOL=HTTP/1.1
      REQUEST_PROTOCOL=HTTP
      REMOTE_USER=ECY\taus461
      ORACLE_SSO_USER=
      OSSO_IDLE_TIMEOUT_EXCEEDED=
      OSSO_USER_GUID=
      HTTP_CONTENT_LENGTH=
      HTTP_CONTENT_TYPE=
      HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
      HTTP_HOST=ecydblcyorwqt03
      HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      HTTP_ACCEPT_ENCODING=gzip,deflate
      HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
      HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
      HTTP_COOKIE=WEBWPLCS_USER=TAUS461; WEBWPLCS_LAST=04.29.2008 11:41:38; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL; ORA_WWV_REMEMBER_UN=ADMIN:webwplcs; ORACLE_PLATFORM_REMEMBER_UN=ADMIN:webwplcs; ORA_WWV_USER=3B1A5D9EA835D646; WWV_CUSTOM-F_1021906798187125_122=9F806B35C3D9AF51
      HTTP_IF_MODIFIED_SINCE=
      HTTP_REFERER=http://ecydblcyorwqt03/pls/apex/f?p=4000:4150:339228564056494::NO:::
      HTTP_SOAPACTION=
      HTTP_ORACLE_ECID=1211983633:165.151.5.125:6156:6252:488,0
      HTTP_ORACLE_CACHE_VERSION=
      HTTP_AUTHORIZATION=NTLM  xyz
      WEB_AUTHENT_PREFIX=
      DAD_NAME=apex
      DOC_ACCESS_PATH=docs
      DOCUMENT_TABLE=wwv_flow_file_objects$
      PATH_ALIAS=
      REQUEST_CHARSET=AL32UTF8
      REQUEST_IANA_CHARSET=UTF-8
      SCRIPT_PREFIX=/pls
      HTTP_IF_MATCH=
      HTTP_CACHE_CONTROL=
      SOAP_BODY=
      HTTP_X_ORACLE_DEVICE_CLASS=
      HTTP_X_ORACLE_DEVICE_ORIENTATION=
      HTTP_X_ORACLE_DEVICE_MAXDOCSIZE=
      HTTP_X_ORACLE_DEVICE=
      HTTP_X_ORACLE_ORIG_ACCEPT=
      HTTP_X_ORACLE_ORIG_USER_AGENT=
      HTTP_X_ORACLE_USER_LOCALE=
      HTTP_X_ORACLE_USER_NAME=
      HTTP_X_ORACLE_USER_DISPLAYNAME=
      HTTP_X_ORACLE_USER_USERKIND=
      HTTP_X_ORACLE_USER_AUTHKIND=
      HTTP_X_ORACLE_USER_DEVICEID=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE1=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE2=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLASTLINE=
      HTTP_X_ORACLE_USER_LOCATION_BLOCK=
      HTTP_X_ORACLE_USER_LOCATION_CITY=
      HTTP_X_ORACLE_USER_LOCATION_COMPANYNAME=
      HTTP_X_ORACLE_USER_LOCATION_COUNTY=
      HTTP_X_ORACLE_USER_LOCATION_STATE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODEEXT=
      HTTP_X_ORACLE_USER_LOCATION_COUNTRY=
      HTTP_X_ORACLE_USER_LOCATION_TYPE=
      HTTP_X_ORACLE_USER_LOCATION_X=
      HTTP_X_ORACLE_USER_LOCATION_Y=
      HTTP_X_ORACLE_SERVICE_HOME_URL=
      HTTP_X_ORACLE_SERVICE_PARENT_URL=
      HTTP_X_ORACLE_HOME_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_LABEL=
      HTTP_X_ORACLE_CACHE_USER=
      HTTP_X_ORACLE_CACHE_SUBID=
      HTTP_X_ORACLE_CACHE_AUTH=
      HTTP_X_ORACLE_CACHE_DEVICE=
      HTTP_X_ORACLE_CACHE_LANG=
      HTTP_X_ORACLE_CACHE_ENCRYPT=
      HTTP_X_ORACLE_ASSERT_USER=There are no invalid objects in the FLOWS schema and the page sentry function I use for NTLM is also valid.
  There isn't a database connection issue since both builder and SQL Plus works.
  Here is my NTLM Page Sentry which is a slightly modified version of the GreenIT version
  CREATE OR REPLACE FUNCTION modNtlmPageSentry(pApexUser IN VARCHAR2 DEFAULT 'APEX_PUBLIC_USER')
  RETURN BOOLEAN
  IS
    vAuthenticatedUsername  VARCHAR2(512);
    vCurrentSessionId       NUMBER;
    l_cnt binary_integer :=0;
  BEGIN
    -- Get Authenticated User.
    vAuthenticatedUsername := UPPER(owa_util.get_cgi_env('REMOTE_USER'));
    vAuthenticatedUsername := substr(vAuthenticatedUsername,instr(vAuthenticatedUsername,'\')+1);
    if to_char(v('APP_ID')) = '127' -- WebWPLCS
    then
         apex_util.set_session_state('P18_USERNAME',vAuthenticatedUsername);
    elsif to_char(v('APP_ID')) = '124' --TMS
    then
    -- check to see if they are a listed TMS manager or overall admin
        select sum(cnt) into l_cnt
        from (
             select count(0) cnt
             from tms_managers
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from tms_admin
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from web_admin
             where username=vAuthenticatedUsername
        if l_cnt < 1
        then
       return FALSE;
        end if;
    end if;
    -- Check to ensure that we are running as the correct database user.
    IF USER ^= UPPER(pApexUser) THEN
      RETURN FALSE;
    END IF;
    IF vAuthenticatedUsername IS NULL THEN
      RETURN FALSE;
    END IF;
    -- Get SessionId.
    vCurrentSessionId := wwv_flow_custom_auth_std.get_session_id_from_cookie;
    -- Check Application Session Cookie.
    IF wwv_flow_custom_auth_std.is_session_valid THEN
      apex_application.g_instance := vCurrentSessionId;
      -- Check Authenticated User --> Username from wwv_flow_session$ for
      --   current Session.
      IF vAuthenticatedUsername = wwv_flow_custom_auth_std.get_username THEN
        wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
          p_session_id => vCurrentSessionId);
        RETURN TRUE;
      ELSE
        -- Unset the Session Cookie and redirect back here to take other branch.
        wwv_flow_custom_auth_std.logout(p_this_flow => v('FLOW_ID'),
          p_next_flow_page_sess => v('FLOW_ID') || ':' || NVL(v('FLOW_PAGE_ID'), 0)
          || ':' || vCurrentSessionId);
        -- Tell Apex Engine to quit.
        apex_application.g_unrecoverable_error := TRUE;
        RETURN FALSE;
      END IF;
    ELSE
      -- Application Session Cookie not valid --> Define a new Apex Session.
      wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
        p_session_id => wwv_flow_custom_auth.get_next_session_id);
      -- Tell Apex Engine to quit.
      apex_application.g_unrecoverable_error := TRUE;
      IF owa_util.get_cgi_env('REQUEST_METHOD') = 'GET'  THEN
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?' ||
          wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
      ELSE
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?p=' ||
          TO_CHAR(apex_application.g_flow_id) || ':' ||
          TO_CHAR(NVL(apex_application.g_flow_step_id, 0)) || ':' ||
          TO_CHAR(apex_application.g_instance));
      END IF;
      -- Register the Session in Apex Sessions Table, set Cookie, redirect back.
      wwv_flow_custom_auth_std.post_login(p_uname => vAuthenticatedUsername,
        p_session_id => nv('APP_SESSION'), p_flow_page => apex_application.g_flow_id
        || ':' || NVL(apex_application.g_flow_step_id, 0));
      RETURN FALSE;       
    END IF;   
  END modNtlmPageSentry;Does anyone have any ideas on where to look next?
  Regards, Tony
  <b>Update</b>
  For kicks, I added the page sentry function to the list in the <b>wwv_flow_epg_include_mod_local</b> function.
  I bounced both the HTTP Server and the database.
  None of these actions solved the problem.

  Joel -
  The alert log states that there is a 7445 error now from Apache
  host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123' module='Apache.exe'
  pid='416'>
  <txt>Exception [type: ACCESS_VIOLATION, UNABLE_TO_READ] [ADDR:0x0] [PC:0x69A2AB3, _pfrinstr_BRNCCOND()+39]
  msg_id='1422874948' type='INCIDENT_ERROR' group='Access Violation'
  level='1' host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123'
  prob_key='ORA 7445 [pfrinstr_BRNCCOND()+39]' upstream_comp='' downstream_comp=''
  ecid='' errid='12252' ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The trace file just states the same 7445 error:
  ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The incident trace file states that the current SQL was:
  ----- Current SQL Statement for this session (sql_id=bng4udk9mvtsh) -----
  declare function x return boolean is begin
  return mergedwplcs.modNtlmPageSentry; return false; end;
  begin
  wwv_flow.g_boolean := x; end;
  ----- PL/SQL Stack -----
  ----- PL/SQL Call Stack -----
    object      line  object
    handle    number  name
  2B6ACD34      1020  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6ACD34       662  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6BB44C        59  function MERGEDWPLCS.MODNTLMPAGESENTRY
  2B6BBD1C         2  anonymous block
  2B6BBD1C         4  anonymous block
  2B6BC674      1815  package body SYS.DBMS_SYS_SQL
  2B6BD29C       296  package body SYS.WWV_DBMS_SQL
  2B70B5D0      1352  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B70B5D0      1158  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B71BA2C      8847  package body FLOWS_030100.WWV_FLOW
  2B72FB04       255  procedure FLOWS_030100.F
  2B7E4F1C        31  anonymous blockWhich makes sense given that I was trying to log into the application. All of these functions and packages are valid.